SSD Advisory – phpMyAdmin File Inclusion and Remote Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
Authenticated users can exploit a file inclusion vulnerability in phpMyAdmin which can then be combined with another vulnerability, to perform Remote Code Execution. In addition, authnticated attackers can view files and execute PHP files that located on the server by exploiting a bug in the part of the code that is responsible for redirects and loading of whitelisted pages.

Vendor Response
The vendor, phpMyAdmin, issued a fix on the 21st of June 2018. Version 4.8.2 and newer aren’t affected.

CVE
CVE-2018-12613

Credit
An independent security researcher, Henry Huang, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
phpMyAdmin 4.8.0 and 4.8.1 (running on Linux systems)

Vulnerability Details
The root cause of the vulnerability can be found inside /index.php file in lines 54-63 which calls the function Core::CheckPageValidity that is located in /libraries/classes/Core.php in lines 444-476:

Index.php:

/libraries/classes/Core.php:

We can see that there is a flaw in the check that was put in to prevent a file inclusion vulnerability, which can be bypassed by referencing ‘db_sql.php?’ in our request.

Steps to exploit the vulnerabilities:

  1. Log in to phpMyAdmin
  2. Run SQL query that contains the PHP arbitrary code, for example: select ‘<?php phpcredits(); ?>’
  3. Take the session ID (it is the value of the phpMyAdmin inside the cookie)
  4. Create using this information a URL similar to this:

Result

Let’s look at the patched code and understand how the issue was fixed.

Index.php:

Core.php:

We can see that the function Core::CheckPageValidity has another parameter, “$include”. $include is passed as true from index.php to the function and the whitelist is empty so the function will return false and the vulnerability is now blocked.

Proof of Concept

How to use
python poc.py -u <username> -p <password> -U http://<domain or ip>/phpmyadmin –php-payload=”phpcredits();”

*** This is a Security Bloggers Network syndicated blog from SecuriTeam Blogs authored by SSD / Ori Nimron. Read the original post at: https://blogs.securiteam.com/index.php/archives/3700