PHPMailer 5.2.17 – Remote Code Execution

坦白的说,看到限制条件就觉得不爱了,搞得上班还迟到.就是没有注意看条件.要是直接docker运行多好。
Before this commit in class.phpmailer.php in a certain scenarion there is no filter in the sender’s email address special chars. This flaw can lead to a remote code execution, via mail function here.

To trigger this code, you need:

So you can bypass the sender’s email validation on validateAddress function, setting patternselect to noregex. To make easier to archieve such environment without having to setup PHP like this I just hardcoded it this code.
作者是本地进行调试的

测试漏洞的代码

利用代码

After the exploitation, a file called backdoor.php will be stored on the root folder of the web directory. And the exploit will drop you a shell where you can send commands to the backdoor:

更新一个phithon的payload

执行:

原文链接:,转发请注明来源!

发表评论

要发表评论,您必须先登录