CVE-2016-10033 PoC — PHPMailer 安全漏洞

Source

https://github.com/alexander47777/CVE-2016-10033

Associated Vulnerability

Title:PHPMailer 安全漏洞 (CVE-2016-10033)
Description:PHPMailer是一个用于发送电子邮件的PHP类库。 PHPMailer 5.2.18之前的版本中的isMail transport的‘mailSend’函数存在安全漏洞，该漏洞源于程序没有设置Sender属性。远程攻击者可利用该漏洞向邮件命令中传递额外的参数，并执行任意代码。

Readme

# CVE-2016-10033 – PHPMailer Remote Code Execution

## 📌 Description
This repository contains a proof-of-concept (PoC) exploit for **CVE-2016-10033**,  
a vulnerability in **PHPMailer** versions prior to **5.2.18**.  
The issue occurs when the `$additional_parameters` argument of PHP's built-in  
`mail()` function is improperly handled, allowing attackers to inject additional  
command-line parameters into **sendmail**. This can be abused to write arbitrary  
PHP code to a web-accessible directory, leading to **Remote Code Execution (RCE)**.

---

## ⚠️ Disclaimer
This project is for **educational and authorized security testing purposes only**.  
Do not use this exploit against systems you do not own or have permission to test.  
The author takes **no responsibility** for any misuse of this code.

---

## 🛠 Affected Versions
- PHPMailer ≤ **5.2.17**  
- PHP when configured to use `sendmail`  
- `sendmail_path` defined and accessible  

---

File Snapshot


 [4.0K]  /data/pocs/b6c05b39c27009646c2c39f71afdab2773a30cc9
├── [2.1K]  exploit.py
└── [ 969]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!