If you are a security researcher, specialist or just somehow involved in the IT security field, you’ve must heard of the latest critical vulnerability Discovered by Dawid Golunski which affect PHPMailer Class and put over 9 Million Websites at risk…Yes, you heard me right, 9 f*cking millions websites !!

If you didn’t get how critical the vulnerabiliy is yet, let me tell you that major PHP CMS and Frameworks including Joomla, WordPress, Drupal, Yii Framework and many others are on the hot line.

What is PHPMailer ?

In case you are new to all of this, and you are wondering what the hell is PHPMailer! It is the world’s most popular transport class, with an
estimated 9 million users worldwid, Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, [..], Joomla! and many more.

Do I need to be concerned ?

Yes, if you didn’t use PHPMailer directly, most CMSs does, even if you are using SwiftMail, you have to take your precautions as SwiftMail relies on PHPMailer for most if its features, a successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application.

How to exploit the vulenrabilities ?

Some exploit scripts are already out after the vulnerability went public, opsxcq Github user has deployed a fully functional PoC to test the script against a Docker environment, to do so please follow the steps bellow:

** Disclaimer: The steps, script and the article are for EDUCATION PURPOSE ONLY, I take no responsibility if you used it to attack other applications where you don’t have the right to do so.

To setup a vulnerable environment for your test you will need Docker installed, and just run the following command:

And it will spawn a vulnerable web application on your host on 8080 port.

READ ALSO  Get free RDP Server With a crazy Internet speed!

To exploit this target just run:

If you are using this vulnerable image, you can just run:

After the exploitation, a file called backdoor.php will be stored on the root folder of the web directory.A shell will be then dropped to be able to type commands to the backdoor:

And if you visit the page again, you will see magic!

hacked

How to avoid PHPMailer Vulnerability ?

If you are a Web developer/Administrator and you want to avoid the vulnerability, you need to update your CMS/Framework, if you are using the class directly, try to get the latest version from Github (See the references section), or you can easily set PHPMailer class permissions to 000 for now.

References:

http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

https://github.com/opsxcq/exploit-CVE-2016-10033

http://phpmailer.worxware.com/

https://github.com/PHPMailer/PHPMailer

http://php.net/manual/en/function.mail.php

 

 

The following two tabs change content below.
Ayoub Bahar, 25 years old, founder of this blog, I am passionate about coding, hacking, cracking and everything related to the new technologies. Follow me to get my latest articles.
READ ALSO  ISIM REST API Samples

Latest posts by AYOUB BAHAR (see all)

Written by AYOUB BAHAR
Ayoub Bahar, 25 years old, founder of this blog, I am passionate about coding, hacking, cracking and everything related to the new technologies. Follow me to get my latest articles.