Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

phpMyAdmin 4.8.x LFI to RCE -- encoding not required #1

Closed
OJ opened this Issue Jun 25, 2018 · 6 comments

Comments

Projects
None yet
3 participants
@OJ
Copy link

OJ commented Jun 25, 2018

Howdy!

I had no other way of contacting you so I thought I'd add something in here.

In this post regarding the LFI in phpMyAdmin, you mention the following:

Core::checkPageValidity can be bypassed by using by double encoding like %253f.

When reading the source this line confused me because the check didn't seem to rely on encoding at first, and the file system inclusion doesn't care about question marks anyway.

In short, you don't need to encode twice, or even once. The exploit appears to work without encoding at all, or with a single round.

No encoding:
456ac4d7-8fc3-4fa4-b8dc-e9ec2711e00d

Encoding once:
40b712aa-f40b-4f35-9d57-4fc5b5ad1f74

I thought I'd share so that perhaps you can update the post. I think the mention of double-encoding makes understanding the issue a little more confusing.

Thanks!

@ambulong

This comment has been minimized.

Copy link
Contributor

ambulong commented Jun 25, 2018

Hi @OJ ,
Thanks for the issue. And sorry for that mistake, I have updated the post just now (http://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/).
thanks again

@OJ

This comment has been minimized.

Copy link
Author

OJ commented Jun 25, 2018

Sweet thanks :)

@OJ OJ closed this Jun 25, 2018

@m3lon

This comment has been minimized.

Copy link

m3lon commented Nov 21, 2018

Sorry,I think we need a double-encoding %253f. I run the environment in my windows,.

when I just enterhttp://localhost/phpMyAdmin4/index.php?target=db_sql.php%3f/../../../tmp%2Ftmp%2Fsess_mfmrjqbqbl5r82ghr5tqn35qt82va8tm,
then will report an error: "include(db_sql.php?/../../../tmp/tmp/sess_mfmrjqbqbl5r82ghr5tqn35qt82va8tm): failed to open stream: No such file or directory."

Only when I use the double-encoding, the db.sql.php%253f will be considered as a folder by the server and will be bypass through the db.sql.php%253f/../.

@m3lon

This comment has been minimized.

Copy link

m3lon commented Nov 21, 2018

I run the php code include "abcd?/../phpinfo.php" on the windows and ubuntu, Surprisingly discovery the file will be included successfully on the ubuntu, but report error on the windows.

So I think on the windows we need double-encoding %253f, on the linux we don't need encoding.

Please give me a lot of advice.

@ambulong

This comment has been minimized.

Copy link
Contributor

ambulong commented Nov 23, 2018

Thanks @m3lon . I got a reference: https://docs.microsoft.com/en-us/windows/desktop/FileIO/naming-a-file

The (?) question mark is one of the reserved characters in windows, so the path contains '?' is considered as a invalid path in windows.

@ambulong

This comment has been minimized.

Copy link
Contributor

ambulong commented Nov 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.