Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44026 PoC — Roundcube Webmail SQL注入漏洞

Source
https://github.com/pentesttoolscom/roundcube-cve-2021-44026
Associated Vulnerability
Title:Roundcube Webmail SQL注入漏洞 (CVE-2021-44026)
Description:Roundcube Webmail是一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 存在SQL注入漏洞,攻击者可以通过"search"或"search_params"进行SQL注入。以下产品及版本受到影响:Roundcube before 1.3.17 and 1.4.x before 1.4.12。
Description
A demo exploit for CVE-2021-44026, a SQL injection in Roundcube
Readme
# Roundcube CVE-2021-44026, a SQL injection

This repository contains a demo exploit for an [SQL injection in Roundcube](https://pentest-tools.com/blog/roundcube-exfiltrating-emails-with-cve-2021-44026).

**Disclaimer**:

This code is intended solely for educational purposes and to assist security teams in identifying vulnerabilities in their Roundcube instances.
It should only be used in ethical hacking engagements in which the security professional has written authorization to ethically exploit the target(s) included in the scope.
The authors are not liable for any misuse or illegal use of this exploit code.

## Usage

```shell
usage: exploit.py [-h] smtp_server smtp_port sender_email sender_password target_email c2_server

Roundcube CVE-2020-35730 & CVE-2021-44026 exploit  

positional arguments:

  smtp_server      Sender SMTP server name

  smtp_port        Sender SMTP server port

  sender_email     Sender email address

  sender_password  Sender email password for logging into the SMTP server

  target_email     Target email address

  c2_server        The URL on which the C2 server will listen

  

optional arguments:

  -h, --help       show this help message and exit
```

When ran, the code starts a Flask server, `c2_server` in the code, which does the exploit in two steps:

1. It sends an email to a target from a given sender address. This email contains an exploit for another Roundcube vulnerability, an XSS tracked as [CVE-2020-35730](https://nvd.nist.gov/vuln/detail/CVE-2020-35730). We use it to send the requests necessary for the SQL injection from an authenticated session. All the JavaScript code that runs on the client side is in`static/fetcher.js`
2. The JavaScript code extracts all the sessions from the database and sends them back to the C2 server as a _VCARD_. On the server side, the session variables are extracted from the _VCARD_. For each authenticated session the code extracts the most recent emails received.

Note: You can use a Gmail account as the sender's email. Use `stmp.gmail.com` for the server and `587` for the port. Configure a password just for this usage by following the guide [here](https://support.google.com/mail/answer/185833?hl=en#zippy=).
File Snapshot

 [4.0K]  /data/pocs/2167fbcfa39743751af8bdb7ab43014175ccec32
├── [8.7K]  exploit.py
├── [2.2K]  README.md
└── [4.0K]  static
    └── [1.3K]  fetcher.js

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.