Last month, there was a disclosure about LFI at PHPMyadmin 4.8.0-4.8.1. Exploitation of this vulnerability may lead to remote code execution.
The big challenge is, to be exploited, this vulnerability requires authenticated user. But fortunately, default mariadb installation (I will use mariadb in this sample case) includes anonymous and pma user, both with no password.
Now I will setup the target environment :
- XAMPP for linux version 7.0.30. This package includes : PHPMyAdmin version 220.127.116.11, mariadb version 10.1.32, php version 7.0.30
- Ubuntu server 16.04
- PHPMyAdmin configuration :
- $cfg[‘Servers’][$i][‘AllowNoPassword’] = true; //true by default, other PHPMyAdmin packages might different
- Comment 3 lines under Authentication type so we must provide user/password to login into PHPMyAdmin
- change file /opt/lampp/etc/extra/httpd-xampp.conf so PHPMyAdmin can be accessed from network
Now, steps of exploitation :
- Login to PHPMyAdmin. Login to PHPMyadmin using anonymous or pma user. Who needs password if blank is just enough 😀
- Lets test the vulnerability
- For more fun, lets escalate to RCE. First, we need to write PHP code into server. We can use PHPMyAdmin example script for single signon. Why I use this script? Because we can write any string into session without need to login. Maybe this trick will be usefull for other LFI issues 😀 . Write this code into username field <pre><?php echo shell_exec($_GET[“shell”]);?>Then click submit, and check for a cookie named SignonSession. Check the session file on the target server, the PHP code is successfully written.
- Now, include the session into PHPMyAdmin and add variable GET shellAnd os command dir executed.