Phpmyadmin 5.0.2 Exploit

[Gene Cryder]

TheExploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.

After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.

phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1.

PhpMyAdmin is a free and open-source administration tool for MySQL and MariaDB, providing us with a user-friendly interface. This application has become one of the most popular MySQL administration tools in many hosting services, which provides the functionality to perform Create, Read, Update, and Delete (CRUD) operations on the MySQL database. If the Installed version of PhpMyAdmin is 4.8.1, this could lead to a Remote Code Execution vulnerability (CVE-2018-12613) Which we will discuss in the blog.

After taking a deep dive into the payload code, you will know that in the 1st step, it was verified whether the target is accessible or not. Also, the version of phpMyAdmin was verified with the help of regular expression.

In the final step, collect the output of the injected code from the PHP session files of the logged-in user. Using directory traversal, navigate to the PHP session directory and print the selected output of the command by opening the session of a particular user with the help of regular expression.

After executing the PHP code, the session file should be read for a particular user, and for the same, there is an injection point in the index.php file, as shown below. It can be observed that the code lacks validation for directory traversal attacks, which leads to the file inclusion attack. With the help of this flow, an attacker can read the session file stored in the PHP server.

In different operating systems, the session files get stored in different locations, and the session ID will be different for all users and needs to be changed in the payload. Find out the directory for the targeted server operating system and manipulate the URL accordingly.

The index.php file is in the C:/xampp/phpmyadmin, and session files are stored in the C:/xampp/tmp/ location. For accessing the session files, the tmp directory was navigated using directory traversal (../../) to backward the two directories.

I couldn't find any public PoC/exploit for this phpMyAdmin vulnerability, despite it being a serious bug affecting a popular open-source project. I think this vulnerability is a nice reminder that it's still possible to perform remote command execution these days without relying on SQL injection (i.e.: xp_cmdshell) or a memory corruption bug (i.e.: heap overflow).

After reading the public advisory and patched code, and playing around for a while, I managed to have a working PoC bash script. The script will allow you to remotely run shell commands and PHP code against vulnerable targets. Although in principle the vulnerability sounds quite simple, it actually took me a while to go from advisory to working attack code.

I'm providing the script with the hope that it will help pentesters and security researchers. Please only test the script against your own systems, or systems you have been given permission to pentest! Don't be evil, it's not worth it.

I'd like to thank Greg Ose for discovering such a cool vuln and doing a nice writeup about the technical details! Also big thanks to str0ke for testing this PoC script and providing such useful feedback!

First of all thank you for the info I have now installed the latest version of phpmyadmin that is version 5.2 the installation has everything so far. The only thing I got so far is that when I log in I still get the following message to the fore.

- I did not have the calendar, might be a plugin you installed ? in this case, maybe an update is required (and maybe some permissions to check just in case)

This is not the best place to troubleshoot those issues, we might continue in another thread or in private (and here is what I got when going to "About" section)

It add some plugins to roundcube which are probably not compatible anymore (I guess, I don't use it), so get a list of the plugin you have, and you'll have to setup them manually, untill there is a "real big update" on all those tools and addons

Remember, any i-MSCP update/upgrade/reinstall will remove those manual changes.

The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin assecure as possible. But still web application like phpMyAdmin can be vulnerableto a number of attacks and new ways to exploit are still being explored.

An attacker would trick a phpMyAdmin user into clicking on a link to provokesome action in phpMyAdmin. This link could either be sent via email or somerandom website. If successful this the attacker would be able to perform someaction with the users privileges.

As the whole purpose of phpMyAdmin is to preform sql queries, this is not ourfirst concern. SQL injection is sensitive to us though when it concerns themysql control connection. This controlconnection can have additional privilegeswhich the logged in user does not poses. E.g. access the phpMyAdmin configuration storage.

Should you find a security issue in the phpMyAdmin programming code, pleasecontact the phpMyAdmin security team inadvance before publishing it. This way we can prepare a fix and release the fix together with yourannouncement. You will be also given credit in our security announcement.You can optionally encrypt your report with PGP key IDDA68AB39218AB947 with following fingerprint:

3a8082e126