================================================================================================ Vulnerable Software: MySQLDumper Version 1.24.4 Downloaded from: http://sourceforge.net/projects/mysqldumper/files/ (MD5 SUM: b62357a0d5bbb43779d16427c30966a1 *MySQLDumper1.24.4.zip) ================================================================================================ About Software: What is MySQLDumper ? MySQLDumper is a PHP and Perl based tool for backing up MySQL databases. You can easily dump your data into a backup file and - if needed - restore it. It is especially suited for shared hosting webspaces, where you don't have shell access. MySQLDumper is an open source project and released under the GNU-license. ================================================================================================ Tested: *php.ini MAGIC_QUOTES_GPC OFF* Safe mode off /* OS: Windows XP SP2 (32 bit) Apache: PHP Version: MYSQL: 5.5.23 ================================================================================================ Vuln Desc: MySQLDumper Version 1.24.4 is prone to: LFI,XSS,CSRF,PHP CODE ExeCution,traversal,Info Disclosure vulns. Local File Inclusion /* Vulnerable COde Section //install.php if (!@ob_start("ob_gzhandler")) @ob_start(); $install_ftp_server=$install_ftp_user_name=$install_ftp_user_pass=$install_ftp_path=""; $dbhost=$dbuser=$dbpass=$dbport=$dbsocket=$manual_db=''; foreach ($_GET as $getvar=>$getval) { ${$getvar}=$getval; } foreach ($_POST as $postvar=>$postval) { ${$postvar}=$postval; } include_once ( './inc/functions.php' ); include_once ( './inc/mysql.php' ); include_once ( './inc/runtime.php' ); if (!isset($language)) $language="en"; $config['language']=$language; include ( './language/lang_list.php' ); include ( 'language/' . $language . '/lang_install.php' ); include ( 'language/' . $language . '/lang_main.php' ); include ( 'language/' . $language . '/lang_config_overview.php' ); */ XSS on inputs via $_POST; /*VUlnerable code section //index.php MySQLDumper *After this Application will become fully unprotected from World.* CSRF Drop database:

Hotlink Protection is Active! Please click refresh button.

kill0 is always information_schema (obviously you can't drop it) Try to increment that index in ex: kill1 etc. CSRF Uninstall Application via $_GET or (This will delete existing config.php file) CSRF change password:
username:pwnyou password:pwnyou CSRF:Execute SQL commands via $_GET In eg:( Create Denial Of Service Condition) After gain access to application (in eg: after successfully exploitation CSRF via delete protection technique) remote attacker can use this techniques to upload his/her backdoor. As result this will completely compromise site. *Upload backdoor:* Rename your backdoor on your pc to me.php.gz Then switch to: Upload it: Then Switch to: On input box called: File: enter relative/absolute path to your uploaded me.php.gz (default ./work/backup/me.php.gz) Click RELOAD button. On inputbox called File: Change file extension to: ./work/backup/me.php Click save button and Vuala you have your own backdoor there. You can find it: Same tehcnique can be used without upload any file: Todo so: Switch to Enter non existent file name on input called File: in eg: mybackdoor.php Click reload button. it will ask *Create it?* Click *Create* Button. Copy paste your backdoor content to textarea and Click Save button. Same technique can be used to add CUSTOM .htaccess Handler (to execute backdoor in eg: as *.gif file) *NOTE* Second technique can be used by attacker to overwrite existing files./read arbitraty files on site/server. Theris also chance to execute our code using eval PHP language *construct*. We have PHP Code ExeCution here: Vulnerable code section: /* //menu.php if (isset($_POST['selected_config'])||isset($_GET['config'])) { if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config']; // Configuration was switched in content frame? if (isset($_GET['config'])) $new_config=$_GET['config']; // restore the last active menuitem if (is_readable($config['paths']['config'].$new_config.'.php')) { clearstatcache(); unset($databases); $databases=array(); if (read_config($new_config)) { $config['config_file']=$new_config; $_SESSION['config_file']=$new_config; //$config['config_file']; $config_refresh=' '; } if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern } } */ As you can see we can traverse it + if we will look to read_config() function //inc/functions_global.php function read_config($file=false) { global $config,$databases; $ret=false; if (!$file) $file=$config['config_file']; // protect from including external files $search=array(':', 'http', 'ftp', ' '); $replace=array('', '', '', ''); $file=str_replace($search,$replace,$file); if (is_readable($config['paths']['config'].$file.'.php')) { // to prevent modern server from caching the new configuration we need to evaluate it this way clearstatcache(); $f=implode('',file($config['paths']['config'].$file.'.php')); $f=str_replace('','',$f); eval($f); $config['config_file']=$file; $_SESSION['config_file']=$config['config_file']; $ret=true; } return $ret; } this means remote attacker can iterate his/her code as PHP.(Notice: eval($f)) Our exploit: where ss = ss.php #cat ss.php # in eg attacker uploaded his/her own file: echo 'Our command executed ' . getcwd(); phpinfo(); Print screen: http://s007.radikal.ru/i302/1204/c3/fd5aac2a58c5.png Theris also a lot of CROSS Site Scripting Vulnerabilities: (XSS) Switch to: Enter: select '' and click Execute SQL Statement. Traversal: /*Vulnerable Code Section: //filemanagement.php