phpMyAdmin (AllowArbitraryServer) Arbitrary File Read Vulnerability


Many posts have pointed out that a malicious MySQL server can use the LOAD DATA LOCAL command to read arbitrary files from MYSQL clients. According to this post (chinese), We can read arbitrary file on phpMyAdmin server if $cfg['AllowArbitraryServer'] enabled.

phpMyAdmin 4.8.4 with AllowArbitraryServer online environment: https://github.com/vulnspy/phpmyadmin-4.8.4-allowarbitraryserver

VULNERABILITY DETAILS

Arbitrary file reading caused by LOAD DATA LOCAL is a long-standing problem, according to previous researches:

We know that this problem exists in the following situations:

  • MySQL Client
  • PHP + mysql/mysqli
  • PHP + PDO (MYSQL_ATTR_LOCAL_INFILE)
  • Python + MySQLdb
  • Python3 + mysqlclient
  • Java + JDBC Driver
  • ...

PhpMyAdmin belongs to PHP + mysqli, so we can use this vulnerability to read arbitrary file on phpMyAdmin server if $cfg['AllowArbitraryServer'] enabled.

EXPLOIT

EXP: https://github.com/Gifts/Rogue-MySql-Server/blob/master/rogue_mysql_server.py

Let's use VulnSpy's online phpMyAdmin environment to demonstrate:

1. Click on the button START TO HACK in the upper right corner to create the online environments

After successful creation, two virtual environments will be automatically generated:

  • web: phpmyadmin service, our target
  • db: mysql service, hacker's server

2. Login to the terminal of hacker's server db

1). Click on the terminal icon of the control bar and select db

2). Click Connect to login

3). Execute cd /root/exp/

4). Edit rogue_mysql_server.py, change PORT = 3306 to PORT = 3307

filelist is the files to read

5). Executepython rogue_mysql_server.py to running the exploiting service

6). Open phpMyAdmin, input db:3307, vulnspy, vulnspy, and submit the form.

7). Go back to the terminal, open file mysql.log

REFERENCE

All rights reserved. © 2019 VULNSPY