Local file inclusion bug due to filter bypass using %253f character.
- PHPMyAdmin v.4.8.0
- PHPMyAdmin v.4.8.1
This PowerShell scripts need three parameters to craft a exploit HTTP request:
1. PHPMyAdmin URL endpoint
2. Cookies for an authenticated user
3. A full path file to be retrieved in remote server
Prepare all the parameters to use the script:
Then, after you run it:
This could lead to remote code execution if you query a SELECT SQL containing PHP code. Then you can include your session file in /var/lib/php/sessions/SESSION_ID_HERE file to execute arbitrary PHP code.
I haven't coded a Code execution PoC. But you can do it manually and trigger it with this code.
Code author: @_zc00l