phpMyAdmin Preg_Replace Exploits CVE-2013-3238 #1772
Conversation
|
|
Test Environment Setup (Mint) git clone git://github.com/phpmyadmin/phpmyadmin.git Login should be with MySQL root password (this will need to be changed from blank). Not tried it with other levels of authentication. |
| exploit_result = send_request_raw({ | ||
| 'uri' => uri('db_structure.php'), | ||
| 'method' => 'POST', | ||
| 'data' => evil, |
There was a problem hiding this comment.
If you use 'vars_post' here instead of raw data, users will have more available evasion options.
|
|
||
| data = "" | ||
| evil.shuffle! | ||
| 0.upto(evil.count-1) do |i| |
There was a problem hiding this comment.
Why not simply:
data = evil.join("&")
* Add an error_handler function that just returns true. This prevents eventual
ENOMEM errors and segfaults like these:
[Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
[Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
* Gets rid of conversion errors like this:
[-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
phpmyadmin_preg_replace bug, so seems legit.
|
|
||
| register_options( | ||
| [ | ||
| OptString.new('URI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']), |
There was a problem hiding this comment.
Could you please use TARGETURI instead? Here's an example:
https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient
|
Out of interest why doesn't https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/http/client.rb define TARGETURI ? |
|
This feature was added awhile ago, but if I remember correctly, I wanted to add TARGETURI in option_container.rb where you can do valid?() and normalize(). But I was told don't even bother to do that because the framework cannot just add an option whenever we feel like it, the Pro version will have to add some code to support that too. So to get around the hassle, we ended up implementing "target_uri" that retrieves datastore option "TARGETURI", and do the parsing from there. |
|
|
Changes Unknown when pulling ccb630e on Meatballs1:phpmyadmin_preg_replace into * on rapid7:master*. |
See: http://www.waraxe.us/advisory-103.html
Tested on nix/apache/php v5.4.6 with most vulnerable versions.
Aside:
I have also added a method to http/response.rb to help parse out Cookies from Set-Cookie.
Some modules appear to cookie = response['Set-Cookie'] which works if you only receive 1 cookie as it is delimited correctly by ;. If The cookie is set with HttpOnly or Expires etc these get pushed into the Cookie: field also.