Search...

Anymacro 邮件系统N处SQL注入漏洞

2014-05-17T00:00:00

ID SSV:95508
Type seebug
Reporter Root
Modified 2014-05-17T00:00:00

Description

简要描述：

详细说明：

与： WooYun: Anymacro 邮件系统SQL注入漏洞和任意文件（邮件）删除（无需登录）重复乌云已经把它列入到通用型奖励厂商当中了。 0x01 背景 AnyMacro（安宁）成立于1999年，是国内领先的统一消息/移动门户/PushMail产品与应用解决方案提供商。主要客户涵盖国家部委、大型企业以及部分海外客户，客户分布于政府、军工、金融、电信、能源、教育等行业。 AnyMacro在技术创新和关键应用中一直处于行业领先地位，在全球首家提出并实现LAMP架构邮件/消息系统已成为事实的行业标准。AnyMacro 具有统一消息/移动门户/PushMail领域的全线技术与自主知识产权，还是多家国际Linux厂商的OEM邮件/消息产品提供商。 0x02 漏洞分析：由于该邮件系统部分代码已经加密，并且暂无方法解密，通过黑盒加白盒测试，发现所有页面只要添加了权限验证模块，都会出现SQL注入漏洞（危害非常非常严重），SQL注入漏洞可获取邮件信息，以及邮件用户名和密码。此SQL注入漏洞产生于COOKIE当中，其中只要ANY_EMAIL=xxxx’ 即可报错注入。。。

[<img src="https://images.seebug.org/upload/201405/171732324be42805372ee843299687be7a6013a4.jpg" alt="HNHZ2M8BI~YVU_51@$PRA1.jpg" width="600" onerror="javascript:errimg(this);">

初步怀疑该问题存在于加密代码当中。。。。下面分析在其中一处代码当中的SQL注入在tosms.php中

<?php require_once 'config/config.php'; require_once 'include/template.php'; require_once 'include/func.php'; require_once 'include/right.php'; require_once 'include/dbfunc.php'; require_once 'include/sms_func.php'; require_once 'include/func_login.php'; include_once "include/$AUTH_MODULE"; session_start(); $F_sid = trim($_REQUEST['F_sid']); if(isset($_REQUEST['F_sms_send'])) { //当f_sms_send条件存在时，触发 $email = $_COOKIE['ANY_EMAIL']; //无过滤从cookie中获取 $telstr = trim($_REQUEST['F_tel']); $tmp = explode(":",$telstr); $send_tel = $tmp[0]; $send_pass = ''; $sql = "SELECT id,maildir FROM user WHERE id='".$email."'";//直接传入sql语句当中执行，造成sql注入漏洞 $res = db_query($sql); $row = db_fetch($res); if(!empty($row['id'])) { $smsfile = $row['maildir'].'/sms.config'; if(file_exists($smsfile)) { $fstr = @file($smsfile); $farr = explode(",",trim($fstr[0])); $tel_arr[$farr[0]] = $farr[2]; $send_pass = $tel_arr[$send_tel]; } } $recv_tel = trim($_REQUEST['F_phone']); $sms_msg = trim($_REQUEST['F_msg']);

抓包丢sqlmap注入，即可注入出所有邮件用户名和密码。。。

[<img src="https://images.seebug.org/upload/201405/17173606cdf9b8bbae69e111eb5b5f54ca2d39ad.jpg" alt="XKSJ7}0WV`2Z9OXKU8SM98.jpg" width="600" onerror="javascript:errimg(this);">

[<img src="https://images.seebug.org/upload/201405/17173712c34e579b9b61945aded86bf37f3bfa2f.jpg" alt="88~M13DGGSMUV3CNO$6)IW.jpg" width="600" onerror="javascript:errimg(this);">

注入出用户名和密码，登录后台。。。

[<img src="https://images.seebug.org/upload/201405/1717375125bfe3b24ebbc44290af494536cc7ad2.jpg" alt="O%1@@FN5I19NI@87FOHC{U.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明：

[<img src="https://images.seebug.org/upload/201405/17173606cdf9b8bbae69e111eb5b5f54ca2d39ad.jpg" alt="XKSJ7}0WV`2Z9OXKU8SM98.jpg" width="600" onerror="javascript:errimg(this);">

[<img src="https://images.seebug.org/upload/201405/17173712c34e579b9b61945aded86bf37f3bfa2f.jpg" alt="88~M13DGGSMUV3CNO$6)IW.jpg" width="600" onerror="javascript:errimg(this);">

JSON Vulners Source

Initial Source

{"enchantments": {"score": {"vector": "NONE", "value": 5.0}, "vulnersScore": 5.0}, "bulletinFamily": "exploit", "enchantments_done": [], "href": "https://www.seebug.org/vuldb/ssvid-95508", "id": "SSV:95508", "_object_type": "robots.models.seebug.SeebugBulletin", "sourceHref": "", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u4e0e\uff1a [WooYun: Anymacro \u90ae\u4ef6\u7cfb\u7edfSQL\u6ce8\u5165\u6f0f\u6d1e\u548c\u4efb\u610f\u6587\u4ef6\uff08\u90ae\u4ef6\uff09\u5220\u9664\uff08\u65e0\u9700\u767b\u5f55\uff09](http://www.wooyun.org/bugs/wooyun-2014-061050) \u91cd\u590d\n\u4e4c\u4e91\u5df2\u7ecf\u628a\u5b83\u5217\u5165\u5230\u901a\u7528\u578b\u5956\u52b1\u5382\u5546\u5f53\u4e2d\u4e86\u3002\n0x01 \u80cc\u666f\nAnyMacro\uff08\u5b89\u5b81\uff09\u6210\u7acb\u4e8e1999\u5e74\uff0c\u662f\u56fd\u5185\u9886\u5148\u7684\u7edf\u4e00\u6d88\u606f/\u79fb\u52a8\u95e8\u6237/PushMail\u4ea7\u54c1\u4e0e\u5e94\u7528\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\u5546\u3002\u4e3b\u8981\u5ba2\u6237\u6db5\u76d6\u56fd\u5bb6\u90e8\u59d4\u3001\u5927\u578b\u4f01\u4e1a\u4ee5\u53ca\u90e8\u5206\u6d77\u5916\u5ba2\u6237\uff0c\u5ba2\u6237\u5206\u5e03\u4e8e\u653f\u5e9c\u3001\u519b\u5de5\u3001\u91d1\u878d\u3001\u7535\u4fe1\u3001\u80fd\u6e90\u3001\u6559\u80b2\u7b49\u884c\u4e1a\u3002 AnyMacro\u5728\u6280\u672f\u521b\u65b0\u548c\u5173\u952e\u5e94\u7528\u4e2d\u4e00\u76f4\u5904\u4e8e\u884c\u4e1a\u9886\u5148\u5730\u4f4d\uff0c\u5728\u5168\u7403\u9996\u5bb6\u63d0\u51fa\u5e76\u5b9e\u73b0LAMP\u67b6\u6784\u90ae\u4ef6/\u6d88\u606f\u7cfb\u7edf\u5df2\u6210\u4e3a\u4e8b\u5b9e\u7684\u884c\u4e1a\u6807\u51c6\u3002AnyMacro \u5177\u6709\u7edf\u4e00\u6d88\u606f/\u79fb\u52a8\u95e8\u6237/PushMail\u9886\u57df\u7684\u5168\u7ebf\u6280\u672f\u4e0e\u81ea\u4e3b\u77e5\u8bc6\u4ea7\u6743\uff0c\u8fd8\u662f\u591a\u5bb6\u56fd\u9645Linux\u5382\u5546\u7684OEM\u90ae\u4ef6/\u6d88\u606f\u4ea7\u54c1\u63d0\u4f9b\u5546\u3002\n0x02 \u6f0f\u6d1e\u5206\u6790\uff1a\n\u7531\u4e8e\u8be5\u90ae\u4ef6\u7cfb\u7edf\u90e8\u5206\u4ee3\u7801\u5df2\u7ecf\u52a0\u5bc6\uff0c\u5e76\u4e14\u6682\u65e0\u65b9\u6cd5\u89e3\u5bc6\uff0c\u901a\u8fc7\u9ed1\u76d2\u52a0\u767d\u76d2\u6d4b\u8bd5\uff0c\u53d1\u73b0\u6240\u6709\u9875\u9762\u53ea\u8981\u6dfb\u52a0\u4e86\u6743\u9650\u9a8c\u8bc1\u6a21\u5757\uff0c\u90fd\u4f1a\u51fa\u73b0SQL\u6ce8\u5165\u6f0f\u6d1e\uff08\u5371\u5bb3\u975e\u5e38\u975e\u5e38\u4e25\u91cd\uff09\uff0cSQL\u6ce8\u5165\u6f0f\u6d1e\u53ef\u83b7\u53d6\u90ae\u4ef6\u4fe1\u606f\uff0c\u4ee5\u53ca\u90ae\u4ef6\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002\n \u6b64SQL\u6ce8\u5165\u6f0f\u6d1e\u4ea7\u751f\u4e8eCOOKIE\u5f53\u4e2d\uff0c\u5176\u4e2d\u53ea\u8981ANY_EMAIL=xxxx\u2019 \u5373\u53ef\u62a5\u9519\u6ce8\u5165\u3002\u3002\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201405/171732324be42805372ee843299687be7a6013a4.jpg\" alt=\"HNHZ2M8BI~YVU_51@$PRA[1.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/171732324be42805372ee843299687be7a6013a4.jpg)\n\n\n\u521d\u6b65\u6000\u7591\u8be5\u95ee\u9898\u5b58\u5728\u4e8e\u52a0\u5bc6\u4ee3\u7801\u5f53\u4e2d\u3002\u3002\u3002\u3002\n\u4e0b\u9762\u5206\u6790\u5728\u5176\u4e2d\u4e00\u5904\u4ee3\u7801\u5f53\u4e2d\u7684SQL\u6ce8\u5165\n\u5728tosms.php\u4e2d\n\n\n```\n<?php\nrequire_once 'config/config.php';\nrequire_once 'include/template.php';\nrequire_once 'include/func.php';\nrequire_once 'include/right.php';\nrequire_once 'include/dbfunc.php';\nrequire_once 'include/sms_func.php';\nrequire_once 'include/func_login.php';\ninclude_once \"include/$AUTH_MODULE\";\nsession_start();\n$F_sid = trim($_REQUEST['F_sid']);\nif(isset($_REQUEST['F_sms_send'])) { //\u5f53f_sms_send\u6761\u4ef6\u5b58\u5728\u65f6\uff0c\u89e6\u53d1\n\t$email\t\t= $_COOKIE['ANY_EMAIL']; //\u65e0\u8fc7\u6ee4\u4ececookie\u4e2d\u83b7\u53d6\n\t$telstr \t= trim($_REQUEST['F_tel']);\n\t$tmp = explode(\":\",$telstr);\n\t$send_tel \t= $tmp[0];\n\t$send_pass \t= '';\n\t$sql = \"SELECT id,maildir FROM user WHERE id='\".$email.\"'\";//\u76f4\u63a5\u4f20\u5165sql\u8bed\u53e5\u5f53\u4e2d\u6267\u884c\uff0c\u9020\u6210sql\u6ce8\u5165\u6f0f\u6d1e\n\t$res = db_query($sql);\n\t$row = db_fetch($res);\n\tif(!empty($row['id'])) {\n\t\t$smsfile = $row['maildir'].'/sms.config';\n\t\tif(file_exists($smsfile)) {\n\t\t\t$fstr = @file($smsfile);\n\t\t\t$farr = explode(\",\",trim($fstr[0]));\n\t\t\t$tel_arr[$farr[0]] = $farr[2];\n\t\t\t$send_pass = $tel_arr[$send_tel];\n\t\t}\n\t}\n\t$recv_tel \t= trim($_REQUEST['F_phone']);\n\t$sms_msg\t= trim($_REQUEST['F_msg']);\n```\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/17173355e1cecc6d2df89d5cc2aa2bc71f8f357f.jpg\" alt=\"4}C$5OHXMDB1NZIFK)@ZCU0.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/17173355e1cecc6d2df89d5cc2aa2bc71f8f357f.jpg)\n\n\n\u6293\u5305\u4e22sqlmap\u6ce8\u5165\uff0c\u5373\u53ef\u6ce8\u5165\u51fa\u6240\u6709\u90ae\u4ef6\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002\u3002\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201405/17173606cdf9b8bbae69e111eb5b5f54ca2d39ad.jpg\" alt=\"XKSJ7}0WV`2Z9OXKU8[SM98.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/17173606cdf9b8bbae69e111eb5b5f54ca2d39ad.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/17173712c34e579b9b61945aded86bf37f3bfa2f.jpg\" alt=\"88~M13DGG[SMUV3CNO$6)IW.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/17173712c34e579b9b61945aded86bf37f3bfa2f.jpg)\n\n\n\u6ce8\u5165\u51fa\u7528\u6237\u540d\u548c\u5bc6\u7801\uff0c\u767b\u5f55\u540e\u53f0\u3002\u3002\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201405/1717375125bfe3b24ebbc44290af494536cc7ad2.jpg\" alt=\"O%1@@FN5I19NI@87FOH[C{U.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/1717375125bfe3b24ebbc44290af494536cc7ad2.jpg)\n\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/17173606cdf9b8bbae69e111eb5b5f54ca2d39ad.jpg\" alt=\"XKSJ7}0WV`2Z9OXKU8[SM98.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/17173606cdf9b8bbae69e111eb5b5f54ca2d39ad.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/17173712c34e579b9b61945aded86bf37f3bfa2f.jpg\" alt=\"88~M13DGG[SMUV3CNO$6)IW.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/17173712c34e579b9b61945aded86bf37f3bfa2f.jpg)", "type": "seebug", "cvss": {"score": 0.0, "vector": "NONE"}, "lastseen": "2017-11-19T17:25:34", "references": [], "modified": "2014-05-17T00:00:00", "objectVersion": "1.4", "reporter": "Root", "history": [], "status": "details", "viewCount": 0, "published": "2014-05-17T00:00:00", "cvelist": [], "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "title": "Anymacro \u90ae\u4ef6\u7cfb\u7edfN\u5904SQL\u6ce8\u5165\u6f0f\u6d1e", "sourceData": ""}