Lucene search
RootSSV:60769HistoryApr 28, 2013 - 12:00 a.m.
phpMyAdmin preg_replace()远程PHP代码执行
2013-04-2800:00:00
Root
www.seebug.org
45
EPSS
0.973
Percentile
99.9%
BUGTRAQ ID: 59460
CVE(CAN) ID: CVE-2013-3238
phpmyadmin是MySQL数据库的在线管理工具,主要功能包括在线创建数据表、运行SQL语句、搜索查询数据以及导入导出数据等。
phpMyAdmin 3.5.8、4.0.0-rc2及其他版本的preg_replace()函数可被利用在服务器端执行任意PHP代码,攻击者用特制参数作为常规表达式,在此表达式内包含空字节,当phpMyAdmin使用"Replace table prefix"功能时,会错误地过滤传递到preg_replace()的特制参数。导致在Web服务器上下文中执行任意PHP代码。
0
phpMyAdmin < 3.5.8.1
Tests:
1. Log in to PMA and select database:
http://localhost/PMA/index.php?db=test&token=25a6ce9e288070bd28c3f9aebffad1b8
2. select one table from database by using checkbox and then select
"Replace table prefix" from select control "With selected:".
3. We can see form named "Replace table prefix:" with two input fields.
Type "/e%00" to the "From" field and "phpinfo()" to the "To" field.
4. Activate Tamper Data Firefox add-on:
https://addons.mozilla.org/en-us/firefox/addon/tamper-data/
5. Click "Submit", Tamper Data pops up, choose "Tamper".
6. Now we can modify POST request. Look for parameter "from_prefix".
It should be "%2Fe%2500", remove "25", so that it becomes "%2Fe%00".
Click "OK" and Firefox will send out manipulated POST request.
7. We are greeted by phpinfo function output - code execution is confirmed.
Related
checkpoint_advisories
checkpoint_advisories
PhpMyAdmin preg_replace Function Code Injection - Ver2 (CVE-2013-3238)
2015-05-18 00:00:00
PhpMyAdmin preg_replace Function Code Injection (CVE-2013-3238)
2013-05-22 00:00:00
ubuntucve
ubuntucve
CVE-2013-3238
2013-04-26 00:00:00
saint
saint
phpMyAdmin preg_replace from_prefix sanitization vulnerability
2013-05-20 00:00:00
phpMyAdmin preg_replace from_prefix sanitization vulnerability
2013-05-20 00:00:00
phpMyAdmin preg_replace from_prefix sanitization vulnerability
2013-05-20 00:00:00
prion
prion
Design/Logic Flaw
2013-04-26 03:34:00
packetstorm
packetstorm
phpMyAdmin Authenticated Remote Code Execution
2013-04-29 00:00:00
phpMyAdmin 3.5.8 / 4.0.0-RC2 Code Execution / LFI / Overwrite
2013-04-25 00:00:00
nvd
nvd
CVE-2013-3238
2013-04-26 03:34:23
metasploit
metasploit
phpMyAdmin Authenticated Remote Code Execution via preg_replace()
2013-04-26 14:42:26
zdt
zdt
phpMyAdmin Authenticated Remote Code Execution Vulnerability
2013-04-30 00:00:00
phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities
2013-04-26 00:00:00
exploitdb
exploitdb
phpMyAdmin - 'preg_replace' (Authenticated) Remote Code Execution (Metasploit)
2013-05-01 00:00:00
phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities
2013-04-25 00:00:00
phpmyadmin
phpmyadmin
Remote code execution via preg_replace().
2013-04-24 00:00:00
debiancve
debiancve
CVE-2013-3238
2013-04-26 03:34:23
cvelist
cvelist
CVE-2013-3238
2013-04-26 01:00:00
cve
cve
CVE-2013-3238
2013-04-26 03:34:23
openvas
openvas
phpMyAdmin Multiple Security Vulnerabilities (Apr 2013) - Windows
2017-08-16 00:00:00
Fedora Update for phpMyAdmin FEDORA-2013-6977
2013-05-13 00:00:00
Fedora Update for phpMyAdmin FEDORA-2013-7000
2013-05-13 00:00:00
freebsd
freebsd
phpMyAdmin -- Multiple security vulnerabilities
2013-04-24 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2013:160)
2013-05-04 00:00:00
Fedora 18 : phpMyAdmin-3.5.8.1-1.fc18 (2013-6977)
2013-05-10 00:00:00
Fedora 17 : phpMyAdmin-3.5.8.1-1.fc17 (2013-7000)
2013-05-10 00:00:00
securityvulns
securityvulns
[ MDVSA-2013:160 ] phpmyadmin
2013-05-06 00:00:00
[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
2013-05-06 00:00:00
fedora
fedora
[SECURITY] Fedora 17 Update: phpMyAdmin-3.5.8.1-1.fc17
2013-05-09 09:58:00
[SECURITY] Fedora 18 Update: phpMyAdmin-3.5.8.1-1.fc18
2013-05-09 10:10:52
[SECURITY] Fedora 19 Update: phpMyAdmin-3.5.8.1-1.fc19
2013-05-09 18:59:18
exploitpack
exploitpack
phpMyAdmin 3.5.84.0.0-RC2 - Multiple Vulnerabilities
2013-04-25 00:00:00
seebug
seebug
phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities
2014-07-01 00:00:00
gentoo
gentoo
phpMyAdmin: Multiple vulnerabilities
2013-11-04 00:00:00