CVE-2018-12613
HIGH EXPLOITED IN THE WILD NUCLEIphpMyAdmin 4.8.x <4.8.2 - Code Injection
Title source: llmExploitation Summary
CVE-2018-12613 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
EIP tracks 9 public exploits from researchers including samguy, Metasploit, VulnSpy, including a Metasploit module exploits/multi/http/phpmyadmin_lfi_rce.
A Nuclei detection template is also available.
AI-analyzed exploit summary This exploit targets a vulnerability in phpMyAdmin 4.8.0 and 4.8.1, allowing remote code execution by leveraging a session file inclusion flaw. It authenticates, injects a malicious query, and triggers execution via a crafted URL.
Description
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Exploits (9)
This exploit targets a vulnerability in phpMyAdmin 4.8.0 and 4.8.1, allowing remote code execution by leveraging a session file inclusion flaw. It authenticates, injects a malicious query, and triggers execution via a crafted URL.
This Metasploit module exploits CVE-2018-12613, an authenticated local file inclusion vulnerability in phpMyAdmin 4.8.0 and 4.8.1, leading to remote code execution via crafted database queries and session file inclusion.
This exploit leverages a Local File Inclusion (LFI) vulnerability in phpMyAdmin 4.8.0/4.8.1 to achieve Remote Code Execution (RCE) by including a session file containing malicious PHP code. The attacker first injects PHP code via an SQL query, then includes the session file through a crafted URL.
This exploit leverages a Local File Inclusion (LFI) vulnerability in phpMyAdmin 4.8.1 via a double URL-encoded payload to bypass input validation. It demonstrates reading arbitrary files and suggests a method to achieve remote code execution by including a database file containing malicious PHP code.
This PowerShell script exploits a Local File Inclusion (LFI) vulnerability in PHPMyAdmin v4.8.0 and v4.8.1 by leveraging a filter bypass using the %253f character. It crafts an HTTP request with authenticated cookies to retrieve arbitrary files from the remote server.
This is a Python 3 port of the CVE-2018-12613 exploit for phpMyAdmin 4.8.0/4.8.1, which allows arbitrary file read and PHP code execution via path traversal and SQL injection. The PoC includes authentication checks and version validation.
This repository contains a writeup in Chinese discussing a file inclusion vulnerability in phpMyAdmin 4.8.1 (CVE-2018-12613). It describes the vulnerability's configuration, principles, and reproduction steps but does not include exploit code.
This repository contains a functional exploit for CVE-2018-12613, targeting phpMyAdmin 4.8.1 with a Python-based RCE exploit and a reverse shell generator. It also includes a privilege escalation exploit for CVE-2023-2640 and detailed documentation.
This Metasploit module exploits an authenticated local file inclusion (LFI) vulnerability in phpMyAdmin 4.8.0 and 4.8.1 to achieve remote code execution (RCE) by creating a malicious database table and including it via path traversal.
Nuclei Templates (1)
http.title:"phpmyadmin" || http.component:"phpmyadmin" || cpe:"cpe:2.3:a:phpmyadmin:phpmyadmin"
title="phpmyadmin" || body="pma_servername" && body="4.8.4"
References (7)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H