Results 1 to 5 of 5

Thread: Exploit phpMyAdmin 2.10.1

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    3

    Default Exploit phpMyAdmin 2.10.1

    I am posting this question here due to this "Questions about approaches to penetration testing with Back Track are welcome." from the sticky. I must apologize slightly as I am still not an expert in this field but I have learned a lot. Also, I am doing this post from memory as the IT building is closed for the night and I can't look to see what was open etc...

    Objective:
    I am a college student majoring in network security. On our lab report is a bonus which is to own a "mystery machine" and read a file that wouldn't normally be accessible remotely.

    Network Setup
    The mystery machine is one router away and is on the same subnet and dhcp client.

    The box:
    After hours of scanning and probing we have found:
    OS: Back track 2
    about 8 ports open.
    The vulnerability is PHP based as he is running beef (not set up v.02 i think) and phpmyadmin (2.10.1)
    It has apache running v 1.3.3.7
    PHP v 4.4.4
    tightvnc (could not find exploits for the version he is running and this has a java front end on port 641?)

    We have used metasploit v3.2 and 3.3 for over 20 hours in an attempt to get a shell but the exploits have not worked.
    Version 3.3 has a bug in it that prevents us from using the php cookie exploit involving zval? (do search -t exploit cookie to find it)

    deserialize() is what should be exploitable. I know the config file uses this. Can anyone point me towards an exploit that is sure to work as long as I put in the write stuff. It doesn't have to be metasploit, bash and perl work. PHP scripts however I am not sure how to do yet and that may require a brief explanation as to how to launch.

    I thank you ahead of time for any help. This is due by monday and I have tomorrow to work on it before I have to just type up what we have thus far and hope for pitty poitns.

    Thanks Again,
    ~Bil

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Exploit phpMyAdmin 2.10.1

    Quote Originally Posted by matthttam View Post
    I am a college student majoring in network security. This is due by monday and I have tomorrow to work on it before I have to just type up what we have thus far and hope for pitty poitns.
    ~Bil
    Well bil you waited until the last minute to start looking for help didn't you.
    Furthermore did your college not provide you with a means of doing this? I mean it looks to me that they told you to take some numbers put them together to make them bigger but they didn't bother to teach you to add.

    Good luck.

  3. #3
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    3

    Default Re: Exploit phpMyAdmin 2.10.1

    I am a Junior at my college. I have studied protocal analysis, linux and server 2003 operating systems, as well as business administration. Security is an option that you can opt for for junior and senior years which I am not doing. My security class has consisted of (thus far) securing linux, not hacking it. We studied selinux, bastille, tripwire and just recently began using nc, nessus, and nmap.

    I studied how to hack on my own since the beginning of last year and I have learned alot but I have to admit I am not the best by any means. I've learned how to do man in teh middle attakcs, hacking wep, simple deauths but I am not advanced yet.

    I have tried multiple exploits and researched ways to exploit this box and have come up empty. As I am in lab right now I can give more detail as to my situation.

    Yes I waited last minute, but not last minute to try to exploit it. I waited last minute to ask for assistance or anyone's general input because I felt I could do this on my own. As it were that I am having doubt about this, I must admit that I am now simply asking for any direction or opinion on what to do.

    I have 3 boxes setup, 2 using fedora 8 and 1 using xp (however all 3 can tripple boot with xp, w2k, and fedora 8.
    A simple scan reveals the following ports:
    Interesting ports on 172.25.223.254:
    Not shown: 1706 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    631/tcp open ipp
    3306/tcp open mysql
    5801/tcp open vnc-http-1
    5901/tcp open vnc-1
    6000/tcp open X11
    6001/tcp open X11:1

    The tightvnc connection only allows 3 attempts and then it locks out your ip address from trying for an extended period of time so brute forcing this is a no go. I decompiled the java that was implemented with logging into vnc and studied the code to find anything of use and I see nothing that can be used for exploitation.

    phpmyadmin returns an error : #2002 - The server is not responding (or the local MySQL server's socket is not correctly configured)
    I did research on this but I cannot fix this problem remotely. I cannot save the config file remotely. I can edit and remove tables via the http://172.25.223.254/phpmyadmin/scripts/setup.php but I cannot save the config so this doesn't help much.

    This box is BT 2 with kernel 2.6.20

    The teacher told us the ssh password was too long and difficult to even try bruteforcing.
    PHPmyadmin uses version 2.10.1\
    we have access to the http://172.25.223.254/info/phpinfo.php where there is more information than I know what to do with.
    Apache/1.3.37 (Unix) PHP/4.4.4

    Our objective isn't necisarily to get a root password or anything like that.
    We need to access this file: usr/local/etc/scim/hellodolly

    Again, this is a BONUS question so its not the end of the world if we don't get it. My partner and I have spent over 25 hours the past week in an attempt to get something to work but so far I have come up empty.

    I can understand scripting but I am not an expert at scripting especially exploits.

    So, I come to this forum in hopes that someone more skilled than I could give me a little advice.

    Thanks,
    Bil

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Exploit phpMyAdmin 2.10.1

    This box is BT 2 with kernel 2.6.20
    Take a look at some info on slackware and the kernel for the BT box. It's old real old and as such should provide you with plenty of vulnerabilities.
    Check the exploit db within the browser on BT4 and the menu/cli and or check online for vuln/exploits against your targeted applications.
    There may or may not be something there.
    Offensive Security Training presents - The Exploit Database

  5. #5
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    3

    Default Re: Exploit phpMyAdmin 2.10.1

    Thank you for the advice. I appreciate it.
    ~Bil

Similar Threads

  1. MS08_067_netapi exploit
    By khianhui in forum Beginners Forum
    Replies: 3
    Last Post: 03-03-2010, 03:02 AM
  2. Saint exploit
    By 259374 in forum Tool Requests
    Replies: 3
    Last Post: 02-27-2010, 12:17 AM
  3. Exploit database
    By av-35 in forum Beginners Forum
    Replies: 1
    Last Post: 02-19-2010, 07:33 PM
  4. Exploit help.
    By sickness in forum Beginners Forum
    Replies: 2
    Last Post: 02-03-2010, 11:15 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •