Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out phpMyAdmin 4.7.x CSRF vulnerability exploitation, the quality of the article content is high, so Xiaobian shared with you as a reference, I hope you have a certain understanding of related knowledge after reading this article.

phpMyAdmin is a well-known MySQL/MariaDB online administration tool. The phpMyAdmin team fixed a critical CSRF vulnerability (PMASA-2017-9) in version 4.7.7, which allows attackers to silently execute arbitrary SQL statements by convincing administrators to visit malicious pages.

We will familiarize ourselves with this exploit in conjunction with VulnSpy's online phpMyAdmin environment.

Note: Restart the demo drone to reset the drone

1 Create phpMyAdmin environment online

Click on VulnSpy's Create Target address (www.vsplate.com/? github=vulnspy/PMASA-2017-9）

After jumping to VSPlate, click GO button directly, and a phpMyAdmin environment will be automatically created.

Open the link to the demo address and our phpMyAdmin is complete.

Log in to phpMyAdmin using root, password to. According to the page information, we can find that the current phpMyAdmin version is 4.7.6, which matches the vulnerable phpMyAdmin version.

CSRF Exploit-Modify current database user password

We know that if you want to use CSRF to delete or modify the contents of the database, you need to know the database name, table name and field name in advance. This kind of utilization seems a bit complicated and the success rate is limited, so we will introduce several more common utilization methods in this article.

SQL statements are supported in MySQL to modify the current user password. For example, modify the current user password to [www.vulnspy.com](http://www.vulnspy.com), and the corresponding SQL statement is:

SET password =PASSWORD ('www.vulnspy.com'); using demo

2.1 Simulate administrator login phpMyAdmin status.

Login to phpMyAdmin with root password to.

2.2 Create pages with malicious code.

File name 2.payload.html (replace the domain name below with your own drone domain name)

Hello World

2.3 Open a file with malicious code in your browser 2.payload.html

Go back to the phpMyAdmin page opened in the previous step and find that it has automatically logged out, and you can no longer log in with the original password toor.

2.4 Login successfully with password www.vulnspy.com, indicating successful utilization

3 CSRF Exploits-Write Files

MySQL supports writing query results to files, which we can use to write PHP files. For example, write the code to the file/var/www/html/test.php, and the corresponding SQL statement is:

select '' into outfile '/var/www/html/test.php';

3.1 The previous demo steps are the same, just change the file code in 2.2 to:

Hello World

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.