代码审计

PHPMailer 5.2.17 – Remote Code Execution

字号+ 作者:0day5 来源:转载 2016-12-27 09:48 我要评论( )

坦白的说,看到限制条件就觉得不爱了,搞得上班还迟到.就是没有注意看条件.要是直接docker运行多好。 Before this commit in class.phpmailer.php in a certain sc......

坦白的说,看到限制条件就觉得不爱了,搞得上班还迟到.就是没有注意看条件.要是直接docker运行多好。
Before this commit in class.phpmailer.php in a certain scenarion there is no filter in the sender’s email address special chars. This flaw can lead to a remote code execution, via mail function here.

To trigger this code, you need:

So you can bypass the sender’s email validation on validateAddress function, setting patternselect to noregex. To make easier to archieve such environment without having to setup PHP like this I just hardcoded it this code.
作者是本地进行调试的

测试漏洞的代码

利用代码

After the exploitation, a file called backdoor.php will be stored on the root folder of the web directory. And the exploit will drop you a shell where you can send commands to the backdoor:

1
2
3
4
5
6
7
./exploit.sh localhost:8080
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting localhost:8080
[+] Target exploited, acessing shell at http://localhost:8080/backdoor.php
[+] Running whoami
www-data
 

本文来自: 蜗蜗侠's Blog-关注网络安全 http://blog.icxun.cn/hack/Code/494.html

1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。

相关文章
网友点评
暂时未开启评论功能~