XSRF-based SQL Injection Technology

Kang Kai

This article will introduce a SQL Injection Technology Based on Cross-Site Request Forgery. PhpMyAdmin is currently the most popular PHP project. In reality, PhpMyAdmin has been widely used. In early December this year, a vulnerability was found in PhpMyAdmin version 3.1.0. However, this vulnerability is used in a specific way, that is, Cross-Site Request Forgery is required for SQL injection. This article will introduce the affected versions and specific attack methods for these versions of the software, and analyze the Code with vulnerabilities in detail.

I. Vulnerability description

PhpMyAdmin is a MySQL database management tool. After the tool is installed, you can directly manage MySQL Data in the form of web, instead of executing system commands, it is very suitable for database managers who are unfamiliar with database operation commands, so it is very popular at present. However, in early December this year, a security vulnerability was discovered on phpMyAdmin of version 3.1.0. Attackers can use XSRF to launch SQL injection attacks on phpMyAdmin. This vulnerability is still exploited whether magic_quotes_gpc is set to On or Off.

Ii. Vulnerability exploitation code

The exploitation code described in this article is actually a conceptual vulnerability used to remotely run PHP code. This vulnerability can be exploited to inject a php backdoor into/var/www/backdoor. php. However, due to AppArmor and SELinux, it is ineffective for the latest Ubuntu or Fedora system.
The idea of exploiting this vulnerability is to use an XSRF attack to inject SQL statements. The attack process is as follows:
1. When an attack is launched, the victim's browser must have logged on to phpMyAdmin.
2. You must know the phpMyAdmin URL.
3. Try to make the victim's browser browse the malicious img labels below. Here we will introduce * nix and Windows systems respectively.

Malicious img labels used for * nix systems:

498) this. style. width = 498; "border = 0>

 

The injection path is as follows:
/Var/www/backdoor. php
The injection backdoor is as follows:

Code used to exploit the XAMPP vulnerability installed by default on Windows:

498) this. style. width = 498; "border = 0>

 

The injection path is as follows:
C:/xampp/htdocs/backdoor. php
The injection backdoor is as follows:

You can access the implanted backdoor in the following ways:
Http: // 10.1.1.10/backdoor. php? E = phpinfo ();
It should be noted that this attack only requires GET requests, which is not required for JavaScript or ActionScript. Therefore, NoScript has nothing to do with it!

Iii. Technical Details

Now we will provide a detailed explanation of the vulnerability code. First, the following SQL query will be executed:

498) this. style. width = 498; "border = 0>

Since the first SQL query selects an integer, the MySQL function char () is used (). The subsequent PHP code is used to create a custom payload. The current payload is: . However, we can see that the Code is as follows:

 

498) this. style. width = 498; "border = 0>

 

This vulnerability occurs when the table parameter is not properly filtered out in the./phpMyAdmin/libraries/db_table_exists.lib.php file of phpmyadmin:

498) this. style. width = 498; "border = 0>

 

The PMA_sqlAddslashes () function only disables single quotes, but ignores the double quotation marks (') and double quotation marks ("). Therefore, remote attackers can execute SQL injection attacks by submitting malicious requests.
This attack is not a textbook example of XSRF, because phpMyAdmin has XSRF defense measures. The token used to protect the request is produced in a safe way. For details, see the 96th line of the./phpmyadmin/libraries/session. ic. php file, as shown below:

 

498) this. style. width = 498; "border = 0>

 

This security vulnerability is caused by some request variables that are not protected by tokens. For details, see row 389th of the./phpmyadmin/libraries/common. inc. php file, as shown below:

 

498) this. style. width = 498; "border = 0>

 

The following is the definition of the PMA_remove_request_vars () function:

498) this. style. width = 498; "border = 0>

 

Pay attention to & in this function declaration &. PMA_remove_request_vars ($ whitelist) transmits variables by reference, but this function does not use variables. People are still superstitious about it because it has no influence on their own code.

Iv. Patch

The current manufacturer has released a patch to fix this security problem, please go to the vendor's home page download: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin? View = rev & revision = 12100.

V. Summary

This article introduces a SQL Injection Technology Based on Cross-Site Request Forgery. PhpMyAdmin is currently the most popular PHP project. In reality, PhpMyAdmin has been widely used. In early December this year, a vulnerability was found in PhpMyAdmin version 3.1.0. However, this vulnerability is used in a specific way, that is, Cross-Site Request Forgery is required for SQL injection. This article will introduce the affected versions and specific attack methods for these versions of the software, and analyze the Code with vulnerabilities in detail.