# Exploit Title: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)  
# Date: 29/03/2021  
# Exploit Author: Valerio Severini  
# Vendor Homepage: Software Link:  
# Version: 7.13.0 or lower  
# Tested on: Debian 10 and Ubuntu  
Description: phpPgAdmin through 7.13.0 allows remote authenticated users to execute arbitrary code. An attacker can create a table named cmd_exec with one column, add type=text and cmd_out, and try to execute the query via a SQL tab. It will fail because of restrictions on statements. However, the attacker can bypass this step by uploading a .txt file (containing a SQL statement such as "COPY cmd_exec FROM PROGRAM" followed by OS commands) in the Browse bar. This achieves remote command execution via a "SELECT * FROM cmd_exec" statement.  
Attack Vectors (PoC):  
1) you have to create a table manually and call it "cmd_exec" with 1 column  
2) add cmd_output and type = text  
3) try to execute the query via SQL tabs , but it should fail because of restriction of Statement.  
4) A malicious Attacker could bypass this step uploading a .txt file in "Browse" bar, with a SQL malicious query inside, for example: " COPY cmd_exec FROM PROGRAM 'id; cd /root; ls'; "  
5) The attacker could execute Remote command execution and obtain full access control executing in SQL query: " SELECT * FROM cmd_exec; "