aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
phpmailer/CVE-2017-5223/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
phpmailer/CVE-2017-5223/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
phpmailer/CVE-2017-5223/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

16
phpmailer/CVE-2017-5223/Dockerfile Normal file
View File

@@ -0,0 +1,16 @@
FROM vulhub/php:5.6-apache
LABEL maintainer="phithon <root@leavesongs.com>"
COPY www/* /var/www/html/
RUN set -ex \
&& rm /etc/apt/sources.list \
&& echo "deb [trusted=yes] http://archive.debian.org/debian-security jessie/updates main" >> /etc/apt/sources.list.d/jessie.list \
&& echo "deb [trusted=yes] http://archive.debian.org/debian jessie main" >> /etc/apt/sources.list.d/jessie.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends git \
&& cd /var/www/html/ \
&& curl -sSL https://getcomposer.org/installer | php \
&& php composer.phar install \
&& rm -rf /var/lib/apt/lists/*

53
phpmailer/CVE-2017-5223/README.md Normal file
View File

@@ -0,0 +1,53 @@
# PHPMailer Arbitrary File Read (CVE-2017-5223)
[中文版本(Chinese version)](README.zh-cn.md)
PHPMailer is a popular PHP library for sending emails.
Before the PHPMailer 5.2.18, during the email sending process, PHPMailer searches for image tags (`<img src="...">`) in the email content and extracts their src attribute values as attachments. Therefore, if we can control part of the email content, we can use `<img src="/etc/passwd">` to read the file `/etc/passwd` as an attachment, resulting in an arbitrary file read vulnerability.
References:
- http://www.freebuf.com/vuls/124820.html
- https://www.exploit-db.com/exploits/43056/
## Environment Setup
First, create a `.env` file in the current directory with the following content (modify the configuration values to your SMTP server, account, and password):
```
SMTP_SERVER=smtp.example.com
SMTP_PORT=587
SMTP_EMAIL=your_email@example.com
SMTP_PASSWORD=secret
SMTP_SECURE=tls
```
Here, `SMTP_SECURE` is the SMTP encryption method, which can be set to none, ssl, or tls.
Then compile and run the test environment:
```
docker compose build
docker compose up -d
```
After the server starts, visit `http://your-ip:8080/` to see a "Feedback" page.
## Vulnerability Reproduction
On the "Feedback" page, normal users fill in their nickname, email, and feedback for submission. This information will be stored by the backend, and the backend will send an email to notify users that their feedback has been submitted:
![](1.png)
> This scenario is common in real-world applications. For example, when users successfully register on a website, they usually receive a notification email containing their nickname. Therefore, if we insert malicious code `<img src="/etc/passwd">` in the nickname field, files on the target server will be read as attachments.
Similarly, we can place the malicious code in the "Feedback" field:
![](2.png)
When receiving the email, it contains attachments `/etc/passwd` and `/etc/hosts`:
![](3.png)
Download and read the files.

51
phpmailer/CVE-2017-5223/README.zh-cn.md Normal file
View File

@@ -0,0 +1,51 @@
# PHPMailer 任意文件读取漏洞CVE-2017-5223
PHPMailer 是 PHP 中常用的邮件发送库。
在 PHPMailer 5.2.18 之前在发送邮件的过程中PHPMailer 会在邮件内容中寻找图片标签(`<img src="...">`),并将其 src 属性的值提取出来作为附件。因此,如果我们能控制部分邮件内容,可以利用`<img src="/etc/passwd">`将文件`/etc/passwd`作为附件读取出来,造成任意文件读取漏洞。
参考链接:
- http://www.freebuf.com/vuls/124820.html
- https://www.exploit-db.com/exploits/43056/
## 漏洞环境
在当前目录下创建文件`.env`内容如下将其中的配置值修改成你的smtp服务器、账户、密码
```
SMTP_SERVER=smtp.example.com
SMTP_PORT=587
SMTP_EMAIL=your_email@example.com
SMTP_PASSWORD=secret
SMTP_SECURE=tls
```
其中,`SMTP_SECURE`是SMTP加密方式可以填写none、ssl或tls。
然后编译、运行测试环境:
```
docker compose build
docker compose up -d
```
环境启动后,访问`http://your-ip:8080/`,即可看到一个"意见反馈"页面。
## 漏洞复现
"意见反馈"页面,正常用户填写昵称、邮箱、意见提交,这些信息将被后端储存,同时后端会发送一封邮件提示用户意见填写完成:
![](1.png)
> 该场景在实战中很常见,比如用户注册网站成功后,通常会收到一封包含自己昵称的通知邮件,那么,我们在昵称中插入恶意代码`<img src="/etc/passwd">`,目标服务器上的文件将以附件的形式被读取出来。
同样,我们填写恶意代码在"意见"的位置:
![](2.png)
收到邮件,其中包含附件`/etc/passwd``/etc/hosts`
![](3.png)
下载读取即可。

7
phpmailer/CVE-2017-5223/docker-compose.yml Normal file
View File

@@ -0,0 +1,7 @@
services:
web:
build: .
ports:
- "8080:80"
env_file:
- .env

5
phpmailer/CVE-2017-5223/www/composer.json Normal file
View File

@@ -0,0 +1,5 @@
{
"require": {
"phpmailer/phpmailer": "5.2.20"
}
}

78
phpmailer/CVE-2017-5223/www/composer.lock generated Normal file
View File

@@ -0,0 +1,78 @@
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"content-hash": "103a823b388422224b1368569073c034",
"packages": [
{
"name": "phpmailer/phpmailer",
"version": "v5.2.20",
"source": {
"type": "git",
"url": "https://github.com/PHPMailer/PHPMailer.git",
"reference": "efde5edb3da8e1d257e030e3c2d922c4de6e5d09"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/efde5edb3da8e1d257e030e3c2d922c4de6e5d09",
"reference": "efde5edb3da8e1d257e030e3c2d922c4de6e5d09",
"shasum": ""
},
"require": {
"php": ">=5.0.0"
},
"require-dev": {
"phpdocumentor/phpdocumentor": "*",
"phpunit/phpunit": "4.7.*"
},
"suggest": {
"league/oauth2-google": "Needed for Google XOAUTH2 authentication"
},
"type": "library",
"autoload": {
"classmap": [
"class.phpmailer.php",
"class.phpmaileroauth.php",
"class.phpmaileroauthgoogle.php",
"class.smtp.php",
"class.pop3.php",
"extras/EasyPeasyICS.php",
"extras/ntlm_sasl_client.php"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"LGPL-2.1"
],
"authors": [
{
"name": "Jim Jagielski",
"email": "jimjag@gmail.com"
},
{
"name": "Marcus Bointon",
"email": "phpmailer@synchromedia.co.uk"
},
{
"name": "Andy Prevost",
"email": "codeworxtech@users.sourceforge.net"
},
{
"name": "Brent R. Matzelle"
}
],
"description": "PHPMailer is a full-featured email creation and transfer class for PHP",
"time": "2016-12-28T13:36:42+00:00"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}

45
phpmailer/CVE-2017-5223/www/index.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
require 'vendor/autoload.php';
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
$mail = new PHPMailer();
$mail->isSMTP();
$mail->Host = $_ENV['SMTP_SERVER'];
$mail->SMTPAuth = true;
$mail->Username = $_ENV['SMTP_EMAIL'];
$mail->Password = $_ENV['SMTP_PASSWORD'];
$mail->Port = intval($_ENV['SMTP_PORT']);
$mail->CharSet = 'UTF-8';
if (in_array($_ENV['SMTP_SECURE'], ['tls', 'ssl'])) {
$mail->SMTPSecure = $_ENV['SMTP_SECURE'];
} else {
$mail->SMTPSecure = false;
}
$message = <<<DATA
<p><strong>{$_POST['your-name']}</strong>您好,您反馈的意见如下:</p>
<blackquote>{$_POST['your-message']}</blockquote>
<p>我们将在24小时内给予您回复请耐心等待</p>
DATA;
$mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
$mail->AddAddress($_POST["your-email"], $_POST["your-name"]);
$mail->Subject = "您反馈的意见我们已经收到";
$mail->MsgHTML($message);
if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Success!";
}
?>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<h2>反馈意见</h2>
<form method="post">
<p><label>昵称<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
<p><label>Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
<p><label>意见<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
<p><input type="submit" value="提交" /></p>
</body>
</html>