|
Message-ID: <2e47f3de-a154-ff6d-a596-6c7766a96e34@pizzey.me> Date: Wed, 3 May 2017 16:42:25 -0500 From: Sam Pizzey <sam@...zey.me> To: oss-security@...ts.openwall.com Subject: Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Looks good! Especially the Exim RCE technique which I now need to go play with. However: 'Also note that the output log file contains a lot of debug information added by Sendmail MTA. This might' Might ..? On 03/05/2017 15:32, Dawid Golunski wrote: > Here's a paper I wrote back in December. It was originally meant to go > into Phrack but the team wanted a more general article on parameter injection > as mail() was supposedly an outdated technique. > Meanwhile, the RCE-chain continues :) So I decided to post it as it is without > changing it as mail() injection deserves a separate article imho. > > https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html > > I reveal some exim code-execution vectors in there that should change > the whole game slightly :) > > See my exploit for WordPress Core that is based on it: > https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html > > > I'll attach copies of the white-paper here in the next revision as I > haven't slept for 3 nights and need to double check on everything > before it goes into the archive forever :) > > > Regards, > Dawid Golunski > https://legalhackers.com > https://ExploitBox.io > t: @dawid_golunski
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.