[Security Alert] Local File Inclusion Vulnerability in phpMyAdmin

  • Source:SANGFOR Security Center
  • Date Published:2018-06-26
#

Summary

On June, 21, 2018, a security research institution released an article saying that local file inclusion vulnerability can cause webshell to be written to database and result in Getshell. Additionally, it is described in this article that attackers can use WebShell as the field value of data table and write it to database file, to trigger local file inclusion vulnerability and then implement Getshell.
Definition From Encyclopedia
phpMyAdmin is a web-based administration tool for MySQL database, written in PHP,and enables MySQL database management via Web interface.  With it, users can perform operations on database like creating, duplicating and deleting databases and tables, etc.  One advantage of phpMyAdmin is that it can run on web servers like other PHP programs, which enables users to access HTML pages generated by phpMyAdmin anywhere. Therefore, it give users the ability to manage MySQL database remotely, facilitating such operations as creating, altering, deleting database and tables.
Summary
On June, 21, 2018, a security research institution released an article saying that local file inclusion vulnerability in phpMyAdmin can result in Getshell. index.php file of phpMyAdmin contains this vulnerability, as shown in the code below: include $_REQUEST[’target’] is included in the above piece of code. The target parameter leaves a breach to local file inclusion vulnerability which can be triggered by means of bypassing parameter restrictions. Target parameter will be filtered based on the following requirements. Firstly, it cannot begin with index.

图片.png

                                                Figure 1
Secondly, the parameter value cannot be in the blacklist shown in Figure 2.
图片.png                                                Figure 2
    Thirdly, the checkPageValidity function, as shown below, will verify target parameter.
图片.png                                               Figure 3
This function is used to check whether the target parameter is in the whitelist shown in Figure 4.
图片.png

                                Figure 4
Since this function contains $_page = urldecode($page), the question mark(?) can be re-encoded to ? so that parameter restriction can be bypassed, that is to say, parameter will firstly be decoded to ? and then to question mark(?) with urldecode() after being submitted. Thus, illegitimate target parameter becomes legitimate and local file inclusion vulnerability gets triggered.
Vulnerability Reproduction
This section introduces how we reproduce local file inclusion vulnerability. Firstly, download phpMyAdmin-4.8.1-all-languages, the latest version, from official website and create a .txt file named robots under the same folder where phpMyadmin installation file is stored
After installing phpMyAdmin, log in to phpMyAdmin and visit the URL shown in the Figure 6, to trigger the vulnerability.
图片.png
Figure 6
After login, you can manage the database and perform any operations. Thus, Webshell can be written into database and be accessed by exploiting local file inclusion vulnerability.
Use webshell as a field of database and write it to database, as shown in Figure 7. Then, access the database file.
图片.png
Figure-7
The figure below shows that webshell has been written into the database file.  
图片.png
Figure 8
By visiting that database file path, webshell code will be executed and then getshell be implemented in this way, as shown in Figure 9.
图片.pngFigure 9
Affected Versions
phpMyAdmin4.8.1

Solution

There is no SP or updates officially released until now. If you are using phpMyAdmin, visit the following link to download the latest version:
https://www.phpmyadmin.net/downloads/
Sangfor Solution
After this vulnerability was exposed, Sangfor security team started analyzing it and developed the corresponding security rules in time. For Sangfor NGAF customers, update security databases to the latest version and enable security protection policies.