-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phpmailer arg injection update #16721
Phpmailer arg injection update #16721
Conversation
Changed new advanced option to camel case
Added options to the module docs for the new options
Added Regex to validate new options
Fixed regex to match legal name tags
fixed typo
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
Tested this successfully and everything is looking good. Changing the field datastore options will affect success, so I left them at their default values but confirmed they were changing the outcome. Once the unit tests pass, I'll get this landed.
|
Release NotesThis updates the PHP Mailer Argument Injection exploit to allow setting the names of certain fields via advanced options. These configuration options then allow the exploit to work in additional scenarios. |
Added Advanced options to change the name of the fields for the name, email, and message objects. Set the default to the previous hard coded value.
No changes to the functionality of the code just adding the ability for users to modify values. Edited previous advanced option to comply with camel case.
Also went to the documentation and added the new advanced options.
This update was in the attic (Did not have time to work on this for a while sorry!) RE #15810
Thanks for the help!
Verification
msfconsole
use exploits/multi/http/phpmailer_arg_injection
set NAME_FIELD different_name
@smcintyre-r7