Stored XSS and possible RCE/LFI in case of misconfiguration in thorsten/phpmyfaq
Oct 3rd 2022
phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls.
Proof of Concept XSS
- login as admin
- go to backup page
- Create a backup and download it
- Edit or add some query to file
- in this case i edited the content of a category in order to fire an XSS on the admin panel or homepage
- navigate some page and see the xss (homepage, list categories etc).
In case of misconfiguration of the SQL service user grant. An attacker could abuse of that by reading/write sensitive file.
Example (read file grant) 1:
- Read ssh keys, or passwd etc...
Example (write file grant) 2:
- write a php shell file in the root of the server web (the path is discovered from the system information-> Server Document Root)
SELECT 'some php code ' INTO dumpfile '/sitepath/somefile.php'
This vulnerability allow an attacker to take control of the entire database and in some cases read arbitrary file or execute shell commands by writing malicious php file.