Someone else submitted a working python exploit to exploit-db. It's already out there so I might as well publish my original exploit written in PHP.
2011-07-20 - Fixed some bugs in the exploit.
Download here
Showing posts with label phpMyAdmin. Show all posts
Showing posts with label phpMyAdmin. Show all posts
Saturday, July 9, 2011
Friday, July 8, 2011
phpMyAdmin 3.x preg_replace RCE POC
I'm flooded with requests for a POC and many doubt that these vulnerabilities are exploitable. And since this vulnerability is rather technically interesting I believe many could learn from it.
The POC uses the session manipulation vulnerability in combination with the remote code execution in preg_replace as detailed in my last blogpost. It will only confirm if the instance is exploitable or not and you need to have valid credentials to the database. Use responsibly.
Download here
Edit:As 0x6a616d6573 reminded me of, blogger removes "%00" if not carefully encoded. The code posted where messed up due to this. (The downloadable file where still fine)
Now it's fixed. I also added the "//" as suggested.
The POC uses the session manipulation vulnerability in combination with the remote code execution in preg_replace as detailed in my last blogpost. It will only confirm if the instance is exploitable or not and you need to have valid credentials to the database. Use responsibly.
Download here
Edit:As 0x6a616d6573 reminded me of, blogger removes "%00" if not carefully encoded. The code posted where messed up due to this. (The downloadable file where still fine)
Now it's fixed. I also added the "//" as suggested.
Thursday, July 7, 2011
phpMyAdmin 3.x Multiple Remote Code Executions
This post details a few interesting vulnerabilities I found while relaxing and reading the sourcecode of phpMyAdmin. My original advisory can be found here.
Subscribe to:
Posts (Atom)