You will not believe just how easy it is to exploit over 9 million websites right now. Anyone that is on Twitter or keeps track of the major vulnerabilities as they are released has probably already heard of the PHPMailer exploit that was found by the polish security researcher Dawid Golunski. This is a flaw in one of the most popular PHP libraries of all time, and it affects over 9 Million websites. As if this isn’t bad enough, it is super easy to exploit and it gives a remote shell. This is the holy grail of vulnerabilities, and this is how you exploit it.
The nitty gritty.
The vulnerable machine.
As I said before, there are millions of vulnerable machines that are internet facing right now. Wordpress Core is affected by this, but every blog on the internet is actively updated right? For demonstration purposes I will be using this vulnerable docker image here: vulnerables/cve-2016-10033
Github user opsxcq has already written up and posted a working exploit for this here. All we have to do is clone this repo and run it. It really is that easy.
Yup. That’s a remote shell. You can get creative now, you are running as www-data. At this point you can try to escalate privileges or go ahead and wreck the website, which is what I did for this demonstration.
That’s all folks. You hacked the gibson.
How and why it works.
The vulnerability is in PHPMailers class.phpmailer.php file. The address was not being sanitized and was allowing for an injection of arbitrary code. The exploit uses that injection point to upload the backdoor.php file and then opens a remote shell using that backdoor. This just goes to show just how critical input sanitization is. It’s one of those things that can be so easily overlooked, but can be so critical that it can affect over 9 Million websites and put major projects like WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla at risk. I will be sure to update this post if I find any more information, but for you admins out there make sure that you are staying up to date.