PHPMyAdmin Configuration - richnadeau/Secure-Web-Application-CTF-Nadeau-Notter GitHub Wiki

PHPMyAdmin Vulnerable Configuration

Details

"An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication)."

• CVE-2018-12613

Users will be able to obtain the usernames and passwords to perform this exploit from the Student Biographies via Insecure Design. Users will then be shown what should be fixed to patch this insecure design.

Configuration

Off of our Base Ubuntu Image, we will start by creating users in our mysql database using the following commands:

CREATE USER 'blaise.notter'@'localhost' IDENTIFIED BY 'password';
CREATE USER 'rich.nadeau'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON * . * TO 'blaise.notter'@'localhost';
GRANT ALL PRIVILEGES ON * . * TO 'rich.nadeau'@'localhost';
FLUSH PRIVILEGES;

Now we can download, tar, and install the vulnerable version of phpmyadmin.

wget https://files.phpmyadmin.net/phpMyAdmin/4.8.1/phpMyAdmin-4.8.1-english.tar.gz
tar -xf phpMyAdmin-4.8.1-english.tar.gz
mv phpMyAdmin-4.8.1-english /usr/share/phpmyadmin

We will now need to change permissions of the /usr/share/phpmyadmin directory to allow the operations of web services (www-data)

sudo chown -R www-data /usr/share/phpmyadmin
sudo chmod -R 755 /usr/share/phpmyadmin

Next, lets create this phpmyadmin.conf file and copy the sample php config file in the phpmyadmin directory and move them both into the available apache2 configurations directory (/etc/apache2/conf-available/)

sudo cp /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php
sudo cp phpmyadmin.conf  /etc/apache2/conf-available/phpmyadmin.conf

Next, we will need to edit the php.ini file located in the php apache2 directory (/etc/php/7.4/apache2/) and uncomment the mysql.so extension so that it is used. Phpmyadmin needs this extension to function properly. In the file, it should be a line that looks similar to this:

extension=mysqli.so

Lastly, we will need to enable the phpmyadmin configuration using the following commands.

sudo a2enconf phpmyadmin
sudo systemctl restart apache2

The target should now be accessible via your-target-ip/phpmyadmin

W.I.P.