phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)

2021-04-01
ID: 104209
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 29/03/2021
# Exploit Author: Valerio Severini
# Vendor Homepage: Software Link: https://github.com/phppgadmin/phppgadmin/releases/tag/REL_7-13-0
# Version: 7.13.0 or lower
# Tested on: Debian 10 and Ubuntu

Description: phpPgAdmin through 7.13.0 allows remote authenticated users to execute arbitrary code. An attacker can create a table named cmd_exec with one column, add type=text and cmd_out, and try to execute the query via a SQL tab. It will fail because of restrictions on statements. However, the attacker can bypass this step by uploading a .txt file (containing a SQL statement such as "COPY cmd_exec FROM PROGRAM" followed by OS commands) in the Browse bar. This achieves remote command execution via a "SELECT * FROM cmd_exec" statement.

Attack Vectors (PoC):
1) you have to create a table manually and call it "cmd_exec" with 1 column
2) add cmd_output and type = text
3) try to execute the query via SQL tabs , but it should fail because of restriction of Statement.
4) A malicious Attacker could bypass this step uploading a .txt file in "Browse" bar, with a SQL malicious query inside, for example: " COPY cmd_exec FROM PROGRAM 'id; cd /root; ls'; "
5) The attacker could execute Remote command execution and obtain full access control executing in SQL query: " SELECT * FROM cmd_exec; "
1-4-2 (www02)