cbcvebase.
CVE-2018-12613
published 2018-06-21

CVE-2018-12613: An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The…

PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
98.39%
99.9th percentile
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).

Affected

3 ranges
VendorProductVersion rangeFixed in
debianphpmyadmin
phpmyadminphpmyadmin>= 4.8 < 4.8.24.8.2
phpmyadminphpmyadmin>= 4.8.0 < 4.8.24.8.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://127.0.0.1/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../windows/wininit.ini
urlhttp://127.0.0.1/phpmyadmin/index.php?a=phpinfo();&target=db_sql.php%253f/../../../../../../phpStudy/PHPTutorial/MySQL/data/hack/hack.frm
urlhttp://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k
path/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
path/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}
path/var/lib/php/sessions/sess_
cookiephpMyAdmin
yara
regex: root:.*:0:0:
  • The LFI bypass uses a double URL-encoded question mark (%253f) in the `target` GET parameter to evade the whitelist check in Core::checkPageValidity(). Detect GET requests to /index.php where the `target` parameter contains `db_sql.php%253f` followed by path traversal sequences.
  • The vulnerable code path is `include $_REQUEST['target']` at line 61 of /index.php. Monitor PHP include/require calls sourced from user-controlled `target` request parameters.
  • RCE via LFI is achieved by first injecting PHP code into the MySQL database (as a field value), then including the resulting .frm database file via the LFI. Detect SQL queries inserting PHP tags (e.g., `<?php`) into table columns followed by LFI requests targeting MySQL data directory paths.
  • Alternative RCE path: inject PHP payload into the phpMyAdmin session file via SQL query (`select '<payload>'`), then trigger execution by including the session file at /var/lib/php/sessions/sess_<session_id> through the LFI endpoint.
  • Version fingerprinting: the Metasploit module detects vulnerable versions by matching `PMA_VERSION:"(\d+\.\d+\.\d+)"` in the response body and checking for 4.8.0 or 4.8.1.
  • The Metasploit module posts the exploit payload to /import.php with `sql_query`, `db`, `table`, and `token` POST parameters, then triggers LFI via GET to /index.php with the `target` parameter. Correlate POST to import.php followed by GET to index.php with %253f in the target parameter from the same session.
  • Shodan/FOFA exposure: phpMyAdmin instances can be identified via `http.title:"phpmyadmin"` or response body containing `pma_servername`.
  • ·Authentication is normally required to exploit this LFI. However, if `$cfg['AllowArbitraryServer'] = true` is set, an unauthenticated attacker controlling a MySQL server can achieve RCE. If `$cfg['ServerDefault'] = 0`, the login requirement is bypassed entirely.
  • ·The session-file-based RCE path depends on the PHP session save path being /var/lib/php/sessions/ (Linux default). On Windows or non-default configurations the data path will differ (e.g., MySQL .frm file path used instead).
  • ·The Metasploit module explicitly targets only phpMyAdmin v4.8.0 and v4.8.1; v4.8.2 and later are patched.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.