phpPgAdmin 7.13.0 – COPY FROM PROGRAM Command Execution (Authenticated)

• Exploit Database
• 44 阅读

• 作者： Valerio Severini
  日期： 2021-04-01
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49736/

• # Exploit Title: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)
  # Date: 29/03/2021
  # Exploit Author: Valerio Severini
  # Vendor Homepage: Software Link: https://github.com/phppgadmin/phppgadmin/releases/tag/REL_7-13-0
  # Version: 7.13.0 or lower
  # Tested on: Debian 10 and Ubuntu
  
  Description: phpPgAdmin through 7.13.0 allows remote authenticated users to execute arbitrary code. An attacker can create a table named cmd_exec with one column, add type=text and cmd_out, and try to execute the query via a SQL tab. It will fail because of restrictions on statements. However, the attacker can bypass this step by uploading a .txt file (containing a SQL statement such as "COPY cmd_exec FROM PROGRAM" followed by OS commands) in the Browse bar. This achieves remote command execution via a "SELECT * FROM cmd_exec" statement.
  
  Attack Vectors (PoC):
  1) you have to create a table manually and call it "cmd_exec" with 1 column
  2) add cmd_output and type = text
  3) try to execute the query via SQL tabs , but it should fail because of restriction of Statement.
  4) A malicious Attacker could bypass this step uploading a .txt file in "Browse" bar, with a SQL malicious query inside, for example: " COPY cmd_exec FROM PROGRAM 'id; cd /root; ls'; "
  5) The attacker could execute Remote command execution and obtain full access control executing in SQL query: " SELECT * FROM cmd_exec; "