oss-sec mailing list archives
Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0)
From: Sam Pizzey <sam () pizzey me>
Date: Wed, 3 May 2017 16:42:25 -0500
Looks good! Especially the Exim RCE technique which I now need to go play with.
However: 'Also note that the output log file contains a lot of debug information added by Sendmail MTA. This might' Might ..? On 03/05/2017 15:32, Dawid Golunski wrote:
Here's a paper I wrote back in December. It was originally meant to go into Phrack but the team wanted a more general article on parameter injection as mail() was supposedly an outdated technique. Meanwhile, the RCE-chain continues :) So I decided to post it as it is without changing it as mail() injection deserves a separate article imho. https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html I reveal some exim code-execution vectors in there that should change the whole game slightly :) See my exploit for WordPress Core that is based on it: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html I'll attach copies of the white-paper here in the next revision as I haven't slept for 3 nights and need to double check on everything before it goes into the archive forever :) Regards, Dawid Golunski https://legalhackers.com https://ExploitBox.io t: @dawid_golunski
Current thread:
- [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Sam Pizzey (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Kash Pande (May 07)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 07)