phpMyAdmin < 2.11.5 SQL Injection

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:
Contact Lyecdevf

phpMyAdmin < 2.11.5 SQL Injection

Post by Lyecdevf »

It is a variable that was not cleaned in a way, allowing you to inject SQL code into the cookie. Here is a example of a small vulnerable php script.
Code:

Code: Select all

<?php
$user['id'] = $_COOKIE['uid']; 
$query = "SELECT name, password FROM members where uid='" . $user['id'] . "'";
$query = mysql_query($query);
$name = mysql_result($query, 0);
echo 'Hello ' . $name . '!';
?>
If it is a normal user, it would display a perfectly good name like "Hello Admin!".
You can now use a thing such the extention for firefox called Cookie Editor, and modify the cookie, you can also do this with javascript.
You then edit the cookie's value, it would have been something like "12", but after editing and adding sql code to it, it would be something like "-1 UNION ALL SELECT USER(), NULL FROM mysql.user--".
That will change the query, and display the user connected to the database, instead of the name of the user stored in the database.
That will result in the following being echo'd; "Hello root@localhost".

http://secunia.com/advisories/29200/
We will either find a way, or make one.
- Hannibal
Top
User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
19
Location: In your eye floaters.
Contact:
Contact bad_brain

Post by bad_brain »

well, phpmyadmin is generally a spot that is attacked a LOT...let it run in the default place (http://www.yourdomain.com/phpmyadmin/) and you can see how the logs fill with loads of automated login attempts. best is to remove it completely and use mysql/mysqladmin directly in the shell, or, if there are customers on the server that need this feature, to use a cryptic alias in the webserver config:

Code: Select all

Alias /whatever /var/www/phpmyadmin

:wink:
Top
User avatar
tharakanuwanpro
Newbie
Newbie
Posts: 7
Joined: 14 Mar 2008, 17:00
16

Post by tharakanuwanpro »

I don't understand how to do it . Please Tell me how to do it step by step
Top
User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:
Contact ayu

Post by ayu »

Just telling you how to do it wont teach you anything useful...

Learn what PHP is and how it works, and WHY the sites are vulnerable and why the exploit works like they do....

Just by learning PHP you will understand a lot of it much clearer...
Top
User avatar
shell_admin
Newbie
Newbie
Posts: 1
Joined: 09 Jan 2008, 17:00
16

Post by shell_admin »

cats wrote:Just telling you how to do it wont teach you anything useful...

Learn what PHP is and how it works, and WHY the sites are vulnerable and why the exploit works like they do....

Just by learning PHP you will understand a lot of it much clearer...
Top
User avatar
Gogeta70
^_^
^_^
Posts: 3275
Joined: 25 Jun 2005, 16:00
18

Post by Gogeta70 »

Shell_admin, simply quoting what somebody says is as bad as spam in a way. It's useless, and quite frankly, it's as irritating as somebody standing next to you repeating everything you say.
¯\_(ツ)_/¯ It works on my machine...
Top
Post Reply

Return to “Hacking/Wardriving”