CSRF and Sql Injection vulnerabilities on PhpMyAdmin

Just as usual , I started this day by reading hackers webzine (http://www.0×000000.com/) . And What I read today is kinda shocking . Since I’ve been using PhpMyAdmin for years , I have never noticed such big vulnerabilities ever existed on PhpMyAdmin itself :P . Here’s the full-excerpt that taken from http://www.0×000000.com/?i=587 :

OK I could not resist to post this.

I played around with PhpMyAdmin a moment ago, and I never gave it much thought since it bores me too quickly. But this is kind of interesting. I have two different instances of PhpMyAdmin running for testing purposes. it is interesting to see that almost nobody understand CSRF and it’s capabilities including those PhpMyAdmin developers. I mean this stuff is hilarious, first of when you sign-in to PhpMyAdmin it looks like it sets a token because it says:

foo.php?token=md5thingy

secure right?

Well, I am not sure what they are doing there, but removing the token doesn’t make any difference. it just continues to work. So I emptied the cookie, well to no avail I am still logged into it. This means it uses a plain PHP session, this way it’s vulnerable to CSRF and I can do anything at will if someone visits my special webpage and is still logged into PhpMyAdmin.

But of course, it gets worse.

How about truncating a table, or just drop a table through CSRF? it only requires the victim to be logged into his PhpMyadmin or still sits in the 24 minute PHP session timezone. We can craft a special page that submits itself in an Iframe. But the most shocking thing is that PhpMyAdmin sets the query to truncate a table inside a form field. This is done this way:

Ugh.

So this means I can add anything I like there? of course we can:

Since a standard PHP session usually last 24 minutes, attackers can hack anyone even after you close your PhpMyAdmin session. Much more is possible, and probably very fancy stuff. Yes, you need to know the table name in order to pull this off, but how about making 200 hidden Iframes in our victim page that guesses the table names? or just reload the Iframe with different table names for about 5 minutes if you do not know the table name? I am sure that one will be the right one! and I would not be surprised if you could use GET also :)

Recenly search

Incoming search terms for the article:

phpmyadmin hackhack phpmyadminhacking phpmyadminmetasploit phpmyadminhow to hack phpmyadminphpmyadmin hacksphpmyadmin ile hackphpmyadmin metasploitrunning phpmyadmin in iframe? www 000000comphpmyadmin hackersphp tokenize sqlhow hack phpmyadminhacking with Phpmyadminhacker via phpMyAdmintuto hack phpmyadmin,  
Popular Today naruto shippuden 170 videologcat physics walkthroughnaruto shippuden 168 videologfacebook spybacktrack 3shy enginevtunnelBackTrack tutorialbacktrack 3 tutorialfacebook photo viewerSee The Shocking Hidden Message In The Google Logo that GOOGLE Does NOT Want You To Know About!how to view private myspace picturesmy empire hackview private myspace picturesSHOCKING: RUDE HIDDEN MESSAGE in Toy Story 3!facebook keyloggerHIDDEN MESSAGE IN GOOGLE LOGOTerri Moulton Hormanrapidleechbrute force facebook,   Computer Security Stuff on eBay!
Electronics stuffs on ebay

Leave a Reply