CVE-2016-10033 PoC — PHPMailer 安全漏洞

Source

https://github.com/alexander47777/CVE-2016-10033

Associated Vulnerability

Title:PHPMailer 安全漏洞 (CVE-2016-10033)
Description:The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Readme

# CVE-2016-10033 – PHPMailer Remote Code Execution

## 📌 Description
This repository contains a proof-of-concept (PoC) exploit for **CVE-2016-10033**,  
a vulnerability in **PHPMailer** versions prior to **5.2.18**.  
The issue occurs when the `$additional_parameters` argument of PHP's built-in  
`mail()` function is improperly handled, allowing attackers to inject additional  
command-line parameters into **sendmail**. This can be abused to write arbitrary  
PHP code to a web-accessible directory, leading to **Remote Code Execution (RCE)**.

---

## ⚠️ Disclaimer
This project is for **educational and authorized security testing purposes only**.  
Do not use this exploit against systems you do not own or have permission to test.  
The author takes **no responsibility** for any misuse of this code.

---

## 🛠 Affected Versions
- PHPMailer ≤ **5.2.17**  
- PHP when configured to use `sendmail`  
- `sendmail_path` defined and accessible  

---

File Snapshot


 [4.0K]  /data/pocs/b6c05b39c27009646c2c39f71afdab2773a30cc9
├── [2.1K]  exploit.py
└── [ 969]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!