### [CVE-2016-10033](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

### POC

#### Reference
- http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html
- http://seclists.org/fulldisclosure/2016/Dec/78
- https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
- https://www.exploit-db.com/exploits/40968/
- https://www.exploit-db.com/exploits/40969/
- https://www.exploit-db.com/exploits/40970/
- https://www.exploit-db.com/exploits/40974/
- https://www.exploit-db.com/exploits/40986/
- https://www.exploit-db.com/exploits/41962/
- https://www.exploit-db.com/exploits/41996/
- https://www.exploit-db.com/exploits/42024/
- https://www.exploit-db.com/exploits/42221/

#### Github
- https://github.com/0x00-0x00/CVE-2016-10033
- https://github.com/0x783kb/Security-operation-book
- https://github.com/777sot/PHPMailer
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/BagmetDenis/exploits_scripts
- https://github.com/Bajunan/CVE-2016-10033
- https://github.com/Brens498/AulaMvc
- https://github.com/CVEDB/PoC-List
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/Closerset/WordPress-RCE-EXP
- https://github.com/Dharini432/Leafnow
- https://github.com/DynamicDesignz/Alien-Framework
- https://github.com/ElnurBDa/CVE-2016-10033
- https://github.com/Elsfa7-110/kenzer-templates
- https://github.com/GeneralTesler/CVE-2016-10033
- https://github.com/Gessiweb/Could-not-access-file-var-tmp-file.tar.gz
- https://github.com/GhostTroops/TOP
- https://github.com/Hehhchen/eCommerce
- https://github.com/Hrishikesh7665/OWASP21-PG
- https://github.com/JERRY123S/all-poc
- https://github.com/Jack-LaL/idk
- https://github.com/JesusAyalaEspinoza/p
- https://github.com/KNIGHTTH0R/PHPMail
- https://github.com/Kalyan457/Portfolio
- https://github.com/Keshav9863/MFA_SIGN_IN_PAGE
- https://github.com/Lu183/phpmail
- https://github.com/MIrfanShahid/PHPMailer
- https://github.com/MarcioPeters/PHP
- https://github.com/MartinDala/Envio-Simples-de-Email-com-PHPMailer-
- https://github.com/Mona-Mishra/User-Registration-System
- https://github.com/Mugdho55/Air_Ticket_Management_System
- https://github.com/NCSU-DANCE-Research-Group/CDL
- https://github.com/NikhilReddyPuli/thenikhilreddy.github.io
- https://github.com/PatelMisha/Online-Flight-Booking-Management-System
- https://github.com/Preeti1502kashyap/loginpage
- https://github.com/Rachna-2018/email
- https://github.com/RakhithJK/Synchro-PHPMailer
- https://github.com/Ramkiskhan/sample
- https://github.com/Razzle23/mail-3
- https://github.com/RichardStwart/PHP
- https://github.com/Rivaldo28/ecommerce
- https://github.com/Sakanksha07/Journey-With-Food
- https://github.com/Sakshibadoni/LetsTravel
- https://github.com/SecRet-501/PHPMailer
- https://github.com/SeffuCodeIT/phpmailer
- https://github.com/SexyBeast233/SecBooks
- https://github.com/Shamsuzzaman321/Wordpress-Exploit-AiO-Package
- https://github.com/Teeeiei/phpmailer
- https://github.com/ThatsSacha/forum
- https://github.com/VenusPR/PHP
- https://github.com/Vudubond/hacking-scripts
- https://github.com/YasserGersy/PHPMailerExploiter
- https://github.com/ZTK-009/RedTeamer
- https://github.com/Zenexer/safeshell
- https://github.com/aegunasekara/PHPMailer
- https://github.com/aegunasekaran/PHPMailer
- https://github.com/afkpaul/smtp
- https://github.com/aklmtst/PHPMailer-Remote-Code-Execution-Exploit
- https://github.com/akr3ch/CheatSheet
- https://github.com/alexandrazlatea/emails
- https://github.com/alokdas1982/phpmailer
- https://github.com/anishbhut/simpletest
- https://github.com/ank0809/Responsive-login-register-page
- https://github.com/anquanscan/sec-tools
- https://github.com/antelove19/phpmailer
- https://github.com/anushasinha24/send-mail-using-PHPMailer
- https://github.com/arbaazkhanrs/Online_food_ordering_system
- https://github.com/arislanhaikal/PHPMailer_PHP_5.3
- https://github.com/ashiqdey/PHPmailer
- https://github.com/athirakottekadnew/testingRepophp
- https://github.com/awidardi/opsxcq-cve-2016-10033
- https://github.com/bigtunacan/phpmailer5
- https://github.com/bkrishnasowmya/OTMS-project
- https://github.com/boy-hack/hack-requests
- https://github.com/chipironcin/CVE-2016-10033
- https://github.com/clemerribeiro/cbdu
- https://github.com/codersstock/PhpMailer
- https://github.com/crackerica/PHPMailer2
- https://github.com/cved-sources/cve-2016-10033
- https://github.com/cyberanand1337x/bug-bounty-2022
- https://github.com/cyberharsh/phpmailer
- https://github.com/cyberpacifists/redteam
- https://github.com/denniskinyuandege/mailer
- https://github.com/devhribeiro/cadweb_aritana
- https://github.com/dipak1997/Alumni-M
- https://github.com/dp7sv/ECOMM
- https://github.com/duhengchen1112/demo
- https://github.com/dylangerardf/dhl
- https://github.com/dylangerardf/dhl-supp
- https://github.com/eb613819/CTF_CVE-2016-10033
- https://github.com/elhouti/ensimag-ssi-2019-20
- https://github.com/eminemdordie/mailer
- https://github.com/entraned/PHPMailer
- https://github.com/faraz07-AI/fullstack-Jcomp
- https://github.com/fatfishdigital/phpmailer
- https://github.com/fatihbaba44/PeakGames
- https://github.com/fatihulucay/PeakGames
- https://github.com/fengjixuchui/RedTeamer
- https://github.com/frank850219/PHPMailerAutoSendingWithCSV
- https://github.com/gaguser/phpmailer
- https://github.com/geet56/geet22
- https://github.com/generalbao/phpmailer6
- https://github.com/gnikita01/hackedemistwebsite
- https://github.com/grayVTouch/phpmailer
- https://github.com/gvido-berzins/GitBook
- https://github.com/gzy403999903/PHPMailer
- https://github.com/heikipikker/exploit-CVE-2016-10034
- https://github.com/hktalent/TOP
- https://github.com/huongbee/mailer0112
- https://github.com/huongbee/mailer0505
- https://github.com/ifindu-dk/phpmailer
- https://github.com/im-sacha-cohen/forum
- https://github.com/inusah42/ecomm
- https://github.com/ivankznru/PHPMailer
- https://github.com/izisoft/mailer
- https://github.com/izisoft/yii2-mailer
- https://github.com/j4k0m/CVE-2016-10033
- https://github.com/jaimedaw86/repositorio-DAW06_PHP
- https://github.com/jamesxiaofeng/sendmail
- https://github.com/jasonsett/Pentest
- https://github.com/jatin-dwebguys/PHPMailer
- https://github.com/jbmihoub/all-poc
- https://github.com/jbperry1998/bd_calendar
- https://github.com/jeddatinsyd/PHPMailer
- https://github.com/jesusclaramontegascon/PhpMailer
- https://github.com/juhi-gupta/PHPMailer-master
- https://github.com/kN6jq/hack-requests
- https://github.com/kubota/exploit_PHPMail
- https://github.com/kylingit/vul_wordpress
- https://github.com/laddoms/faces
- https://github.com/lanlehoang67/sender
- https://github.com/lcscastro/RecursoFunctionEmail
- https://github.com/leftarmm/speexx
- https://github.com/leocifrao/site-restaurante
- https://github.com/liusec/WP-CVE-2016-10033
- https://github.com/lnick2023/nicenice
- https://github.com/luxiaojue/phpmail
- https://github.com/madbananaman/L-Mailer
- https://github.com/marco-comi-sonarsource/PHPMailer
- https://github.com/mayankbansal100/PHPMailer
- https://github.com/mintoua/Fantaziya_WEBSite
- https://github.com/mkrdeptcreative/PHPMailer
- https://github.com/mohamed-aymen-ellafi/web
- https://github.com/morkamimi/poop
- https://github.com/nFnK/PHPMailer
- https://github.com/natsootail/alumni
- https://github.com/nh0k016/Haki-Store
- https://github.com/nyamleeze/commit_testing
- https://github.com/opsxcq/exploit-CVE-2016-10033
- https://github.com/paralelo14/CVE_2016-10033
- https://github.com/password520/RedTeamer
- https://github.com/paulogmota/phpmailer-5.2.20-RCE
- https://github.com/pctechsupport123/php
- https://github.com/pedro823/cve-2016-10033-45
- https://github.com/pitecozz/RCE-VUL
- https://github.com/pnagasaikiran/private-notes
- https://github.com/prakashshubham13/portfolio
- https://github.com/prathamrathore/portfolio.php
- https://github.com/prostogorod/PHPMailer
- https://github.com/qazbnm456/awesome-cve-poc
- https://github.com/rasisbade/allphp
- https://github.com/rebujacker/CVEPoCs
- https://github.com/rohandavid/fitdanish
- https://github.com/rrathi0705/email
- https://github.com/rudresh98/e_commerce_IFood
- https://github.com/sakshibohra05/project
- https://github.com/sankar-rgb/PHPMailer
- https://github.com/sarriscal/phpmailer
- https://github.com/sarvottam1766/Project
- https://github.com/sashasimulik/integration-1
- https://github.com/sccontroltotal/phpmailer
- https://github.com/sliani/PHPMailer-File-Attachments-FTP-to-Mail
- https://github.com/superfish9/pt
- https://github.com/supreethsk/rental
- https://github.com/sweta-web/Online-Registration-System
- https://github.com/trganda/dockerv
- https://github.com/tvirus-01/PHP_mail
- https://github.com/vaartjesd/test
- https://github.com/vatann07/BloodConnect
- https://github.com/vedavith/mailer
- https://github.com/vivekaom/pentest_example
- https://github.com/waqeen/cyber_security21
- https://github.com/weeka10/-hktalent-TOP
- https://github.com/wesandradealves/sitio_email_api_demo
- https://github.com/whale-baby/Vulnerability
- https://github.com/windypermadi/PHP-Mailer
- https://github.com/xbl3/awesome-cve-poc_qazbnm456
- https://github.com/yaya4095/PHPMailer
- https://github.com/zakiaafrin/PHPMailer
- https://github.com/zeeshanbhattined/exploit-CVE-2016-10033
- https://github.com/zhangqiyi55/phpemail