Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-12613 PoC — phpMyAdmin 安全漏洞

Source
https://github.com/0x00-0x00/CVE-2018-12613
Associated Vulnerability
Title:phpMyAdmin 安全漏洞 (CVE-2018-12613)
Description:An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Description
PHPMyAdmin v4.8.0 and v.4.8.1 LFI exploit
Readme
# CVE-2018-12613
Local file inclusion bug due to filter bypass using %253f character.

# Software Affected
1. PHPMyAdmin v.4.8.0
2. PHPMyAdmin v.4.8.1

# How to use
This PowerShell scripts need three parameters to craft a exploit HTTP request:

    1. PHPMyAdmin URL endpoint
    2. Cookies for an authenticated user
    3. A full path file to be retrieved in remote server

# Example

Prepare all the parameters to use the script:

![Screenshot](example.JPG)

Then, after you run it:

![Screenshot](example-2.JPG)

# Remote Code Execution

This could lead to remote code execution if you query a SELECT SQL containing PHP code. Then you can include your session file in /var/lib/php/sessions/SESSION_ID_HERE file to execute arbitrary PHP code.

I haven't coded a Code execution PoC. But you can do it manually and trigger it with this code.

Code author: @_zc00l
File Snapshot

 [4.0K]  /data/pocs/7a03466614fe2cc83d4a3df005870488205ea1a9
├── [ 95K]  example-2.JPG
├── [ 54K]  example.JPG
├── [ 18K]  LICENSE
├── [2.4K]  PHPMyAdmin-LFI.ps1
└── [ 863]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →