( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
    ||\\
  *_-P/,P
     '-
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Friday, July 8, 2011

phpMyAdmin 3.x preg_replace RCE POC

I'm flooded with requests for a POC and many doubt that these vulnerabilities are exploitable. And since this vulnerability is rather technically interesting I believe many could learn from it.

The POC uses the session manipulation vulnerability in combination with the remote code execution in preg_replace as detailed in my last blogpost. It will only confirm if the instance is exploitable or not and you need to have valid credentials to the database. Use responsibly.

Download here


Edit:As 0x6a616d6573 reminded me of, blogger removes "%00" if not carefully encoded. The code posted where messed up due to this. (The downloadable file where still fine)
Now it's fixed. I also added the "//" as suggested.
Upplagd av Mango kl. 4:32 PM
Etiketter: , ,

18 comments:

  1. AnonymousJuly 8, 2011 at 5:49 PM

    It doesn't Work It show me
    [i] Running...
    [*] Contacting server to authenticate.
    [i] Cookie:pma_mcrypt_iv=6usxi8fDjxY%3D; phpMyAdmin=83f941377c2ad368cb065ae3511c114b6ce908d7; pmaUser-1=K6%2BMQV0L8oo%3D; pmaPass-1=C7ohzD7vwAc%3D
    [i] Token:e498413730bbb8c51ce127b807160bf8
    [*] Contacting server to poison some _SESSION variables.
    [*] Contacting server to execute command.
    [!] Authentication error. Wrong password maby.
    [*] Exiting...

    I use PMA V 3.4.3 PHP 5.3.5 On OSX

    ReplyDelete
  2. MangoJuly 8, 2011 at 5:58 PM

    @Anonymous

    I'll debug tomorrow. It would be helpfull if you edited the code and changed $debug to true and emailed me the output to h@xxor.se

    ReplyDelete
  3. 0x6a616d6573July 8, 2011 at 7:11 PM

    @Mango: I appreciate the PoC, and I did learn something. I learned I should have spent more time trying to exploit this bug. lol :] Nice work!

    Also, to get the PoC working reliably, I simply added a uri encoded null byte at the end of the regex string, and a comment delimiter at the end of the injected PHP code (The null is not needed there BTW):

    '&_SESSION[src_uncommon_tables][0]=||/e'.

    Becomes

    '&_SESSION[src_uncommon_tables][0]=||/e'.

    And

    '\`.eval($_POST["comm"]);'."\x00" :

    Becomes

    '\`.eval($_POST["comm"]);//'."\x00" :

    ReplyDelete
  4. 0x6a616d6573July 8, 2011 at 7:12 PM

    Apparently blogger eats url encoded nulls for breakfast, but I think you know what I mean from the description.

    ReplyDelete
  5. AnonymousJuly 8, 2011 at 9:15 PM

    Just tested with version 3.3.9.2 (Unsuccessful) and Tried 0x6a616d6573's ['\`.eval($_POST["comm"]);//'."\x00" :]

    Result of execution:
    [i] Running...
    [*] Contacting server to authenticate.
    [!] Fail. request returned 401. The host is not vulnerable or there is a problem with the supplied url.
    [*] Exiting...
    -------------

    Being that -u is set to https

    ReplyDelete
  6. 0x6a616d6573July 8, 2011 at 11:34 PM

    @Anon: Try echo'ing out the $result variable to see if that can give you some insight into how the 401 error is happening. Also, the null at the end of the php code isn't necessary. I don't know if that's the problem, but give it a go, and let us know how it works?

    @Mango: Have you looked into the possibility of authentication bypass since $_SESSION variables can apparently be overwritten? I realize the authentication within phpMyAdmin happens on two different layers, (Application, and SQL) but bypassing phpMyAdmin application specific authentication should suffice for a preauth remote code execution condition. What do you think?

    ReplyDelete
  7. MangoJuly 9, 2011 at 12:17 AM

    @0x6a616d6573
    As I remember, the authentication can be bypassed without modifying the session. But I came to the conclusion that the code inevitably comes to some place where it needs a valid connection to the database before it hits any funny pieces of code.

    But please, if you can find something, tell me. =D

    ReplyDelete
  8. AnonymousJuly 9, 2011 at 1:08 AM

    Last Anon.

    Debug = 1

    http://www.pastie.org/private/66hsny5mrc8xw27dgsuitw

    ReplyDelete
  9. MangoJuly 9, 2011 at 2:09 AM

    @Anonymous

    Your server uses basic authentication. Use an url like this:
    https://user:pass@db.xxxxxxxxxx.com:443/phpmyadmin

    I don't know if these credentials are the same as your db credentials.

    ReplyDelete
  10. AnonymousJuly 9, 2011 at 6:32 PM

    Can u show me LFI Bug PoC

    ReplyDelete
  11. micheeJuly 10, 2011 at 4:33 PM

    great work man!
    it took me a while to fully understand all this, but now it's clear!:)
    Congrats for the hard work!

    ReplyDelete
  12. AnonymousMay 21, 2014 at 6:11 PM

    Download link does not work anymore :-(

    ReplyDelete
  13. marinir seoApril 5, 2015 at 2:12 PM

    https://www.facebook.com/bantalsilikongrosir
    http://bantalsilikon01.blogspot.com/2014/12/a.html
    http://jualsangkarpleci.blogspot.com/2014/12/a.html
    http://kopiluwakliar01.blogspot.com/2014/12/a.html
    http://vvty.in/uncategorized/marinir-seo/

    http://marinirseo.blogspot.com/2014/12/a.html
    http://marinir-seo.blogspot.com/2014/12/a.html
    http://bumbu-pecel-malang.blogspot.com/2014/12/a.html
    http://distro-seo.blogspot.com/2014/12/a.html
    http://restoran-seo.blogspot.com/2014/12/a.html
    http://bantalmalangmurah.blogspot.com/2014/12/a.html
    http://distrobantal.blogspot.com/2014/12/a.html
    http://kesethandukmalang.blogspot.com/2014/12/a.html


    http://tasya.marinirseo.web.id/?p=4http://jeannet.marinirseo.web.id/?p=4http://anne.marinirseo.web.id/?p=4http://jelita.marinirseo.web.id/?p=4http://ruth.marinirseo.web.id/?p=4http://caca.marinirseo.web.id/?p=4http://brenda.marinirseo.web.id/?p=1 || http://tasya1.marinirseo.web.id/?p=4http://jeannet1.marinirseo.web.id/?p=4http://anne1.marinirseo.web.id/?p=4http://jelita1.marinirseo.web.id/?p=4http://ruth1.marinirseo.web.id/?p=4http://caca1.marinirseo.web.id/?p=5http://brenda1.marinirseo.web.id/?p=4 || http://tasya2.marinirseo.web.id/?p=5http://jeannet2.marinirseo.web.id/?p=4http://anne2.marinirseo.web.id/?p=4http://jelita2.marinirseo.web.id/?p=4http://ruth2.marinirseo.web.id/?p=4http://caca2.marinirseo.web.id/?p=4http://brenda2.marinirseo.web.id/?p=4http://brenda3.marinirseo.web.id/?p=4http://tasya3.marinirseo.web.id/dua/http://jeannet3.marinirseo.web.id/?p=4http://anne3.marinirseo.web.id/?p=4http://jelita3.marinirseo.web.id/?p=4http://ruth3.marinirseo.web.id/?p=4http://caca3.marinirseo.web.id/?p=4 || nhttp://brenda4.marinirseo.web.id/?p=4http://tasya4.marinirseo.web.id/?p=4http://jeannet4.marinirseo.web.id/?p=4http://anne4.marinirseo.web.id/?p=4http://jelita4.marinirseo.web.id/?p=5http://ruth4.marinirseo.web.id/?p=4http://caca4.marinirseo.web.id/?p=4 || http://tasya5.marinirseo.web.id/?p=4http://anne5.marinirseo.web.id/?p=4http://jelita5.marinirseo.web.id/?p=4http://ruth5.marinirseo.web.id/?p=4http://caca5.marinirseo.web.id/?p=4http://synganne.marinirseo.web.id/?p=4
    http://tasya.marinirseo.web.id/?p=4http://jeannet.marinirseo.web.id/?p=4http://anne.marinirseo.web.id/?p=4http://jelita.marinirseo.web.id/?p=4http://ruth.marinirseo.web.id/?p=4http://caca.marinirseo.web.id/?p=4http://brenda.marinirseo.web.id/?p=1 || http://tasya1.marinirseo.web.id/?p=4http://jeannet1.marinirseo.web.id/?p=4http://anne1.marinirseo.web.id/?p=4http://jelita1.marinirseo.web.id/?p=4http://ruth1.marinirseo.web.id/?p=4http://caca1.marinirseo.web.id/?p=5http://brenda1.marinirseo.web.id/?p=4 || http://tasya2.marinirseo.web.id/?p=5http://jeannet2.marinirseo.web.id/?p=4http://anne2.marinirseo.web.id/?p=4http://jelita2.marinirseo.web.id/?p=4http://ruth2.marinirseo.web.id/?p=4http://caca2.marinirseo.web.id/?p=4http://brenda2.marinirseo.web.id/?p=4http://brenda3.marinirseo.web.id/?p=4http://tasya3.marinirseo.web.id/dua/http://jeannet3.marinirseo.web.id/?p=4http://anne3.marinirseo.web.id/?p=4http://jelita3.marinirseo.web.id/?p=4http://ruth3.marinirseo.web.id/?p=4http://caca3.marinirseo.web.id/?p=4 || nhttp://brenda4.marinirseo.web.id/?p=4http://tasya4.marinirseo.web.id/?p=4http://jeannet4.marinirseo.web.id/?p=4http://anne4.marinirseo.web.id/?p=4http://jelita4.marinirseo.web.id/?p=5http://ruth4.marinirseo.web.id/?p=4http://caca4.marinirseo.web.id/?p=4 || http://tasya5.marinirseo.web.id/?p=4http://anne5.marinirseo.web.id/?p=4http://jelita5.marinirseo.web.id/?p=4http://ruth5.marinirseo.web.id/?p=4http://caca5.marinirseo.web.id/?p=4http://synganne.marinirseo.web.id/?p=4

    ReplyDelete
  14. AnonymousJune 14, 2016 at 3:42 AM

    I enjoy, result in I found exactly what I used to be looking for. You’ve ended my 4 day long hunt! God Bless you man. Have a nice day. Bye
    Regards too from Young Entrepreneur
    Tangki Fiberglass
    Jual Septic Tank

    ReplyDelete
  15. Supplier Biotech Septic TankFebruary 11, 2017 at 10:22 AM

    why It doesn't Work? can help me

    ReplyDelete
  16. ihtishamali haiderMay 31, 2018 at 12:45 PM

    free hamachi alternative http://www.techfreetricks.com/top-5-hamachi-alternatives-virtual-lan-gaming/ Hamachi has been around for a long time now and is the most favored decision of numerous gamers over the globe. That being stated, Hamachi comes with its own particular downsides. free hamachi alternative

    ReplyDelete
  17. Allan BeccariaOctober 22, 2018 at 12:47 AM

    I will always support your website, hopefully more advanced. keep the spirit… thanks

    ReplyDelete

Subscribe to: Post Comments (Atom)