-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
phpMyAdmin Preg_Replace Exploits CVE-2013-3238 #1772
Conversation
|
Test Environment Setup (Mint) git clone git://github.com/phpmyadmin/phpmyadmin.git Login should be with MySQL root password (this will need to be changed from blank). Not tried it with other levels of authentication. |
exploit_result = send_request_raw({ | ||
'uri' => uri('db_structure.php'), | ||
'method' => 'POST', | ||
'data' => evil, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you use 'vars_post' here instead of raw data, users will have more available evasion options.
|
||
data = "" | ||
evil.shuffle! | ||
0.upto(evil.count-1) do |i| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not simply:
data = evil.join("&")
* Add an error_handler function that just returns true. This prevents eventual ENOMEM errors and segfaults like these: [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156 [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11) * clean up some whitespace
* Gets rid of conversion errors like this: [-] Exploit failed: can't convert Fixnum into String * also removes comments from php meterp. Works for me with the phpmyadmin_preg_replace bug, so seems legit.
|
||
register_options( | ||
[ | ||
OptString.new('URI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please use TARGETURI instead? Here's an example:
https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient
Out of interest why doesn't https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/http/client.rb define TARGETURI ? |
This feature was added awhile ago, but if I remember correctly, I wanted to add TARGETURI in option_container.rb where you can do valid?() and normalize(). But I was told don't even bother to do that because the framework cannot just add an option whenever we feel like it, the Pro version will have to add some code to support that too. So to get around the hassle, we ended up implementing "target_uri" that retrieves datastore option "TARGETURI", and do the parsing from there. |
|
Changes Unknown when pulling ccb630e on Meatballs1:phpmyadmin_preg_replace into * on rapid7:master*. |
See: http://www.waraxe.us/advisory-103.html
Tested on nix/apache/php v5.4.6 with most vulnerable versions.
Aside:
I have also added a method to http/response.rb to help parse out Cookies from Set-Cookie.
Some modules appear to cookie = response['Set-Cookie'] which works if you only receive 1 cookie as it is delimited correctly by ;. If The cookie is set with HttpOnly or Expires etc these get pushed into the Cookie: field also.