phpMyAdmin 未授权访问漏洞

漏洞信息

漏洞名称: phpMyAdmin 未授权访问漏洞

漏洞类型: 未授权访问

漏洞等级: 中危

漏洞描述: phpMyAdmin是一个广泛使用的开源数据库管理工具,主要用于通过Web界面管理MySQL数据库。它通常部署在需要数据库管理的服务器上,是许多开发者和系统管理员的首选工具。由于phpMyAdmin的广泛使用,其安全性问题尤为重要。

该漏洞属于未授权访问类型,技术根源在于phpMyAdmin的配置不当,导致攻击者无需认证即可访问敏感信息。具体表现为,攻击者可以通过构造特定的URL路径(如/phpmyadmin/index.php?db=information_schema或/phpMyAdmin/index.php?db=information_schema)直接访问数据库信息,而无需提供有效的用户名和密码。

此漏洞的安全风险主要体现在信息泄露上。攻击者可以利用此漏洞获取数据库中的敏感信息,如数据库结构、表内容等,进而可能进行更深入的数据窃取或其他恶意操作。由于漏洞利用无需认证,且可以通过自动化工具批量扫描存在漏洞的实例,因此其潜在影响范围较广,尤其是在未正确配置phpMyAdmin的服务器上。

产品厂商: phpmyadmin

产品名称: phpMyAdmin

搜索语法: http.title:phpMyAdmin, http.title:”phpmyadmin”, http.component:”phpmyadmin”, cpe:”cpe:2.3:a:phpmyadmin:phpmyadmin”, body=”pma_servername” && body=”4.8.4”, title=”phpmyadmin”

来源: https://github.com/projectdiscovery/nuclei-templates/issues/12621

类型: projectdiscovery/nuclei-templates:github issues

来源概述

Template IDs or paths

1
- http/misconfiguration/phpmyadmin/phpmyadmin-misconfiguration.yaml

Environment

1
N/A

Steps To Reproduce

I have update the template as below

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
id: phpmyadmin-misconfiguration

info:
  name: phpmyadmin Data Exposure
  author: pussycat0x
  severity: medium
  description: An unauthenticated instance of phpmyadmin was discovered, which could be leveraged to access sensitive information.
  reference:
    - https://www.exploit-db.com/ghdb/6997
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-200
  metadata:
    max-request: 2
    vendor: phpmyadmin
    product: phpmyadmin
    shodan-query:
      - "http.title:phpMyAdmin"
      - http.title:"phpmyadmin"
      - http.component:"phpmyadmin"
      - cpe:"cpe:2.3:a:phpmyadmin:phpmyadmin"
    fofa-query:
      - body="pma_servername" && body="4.8.4"
      - title="phpmyadmin"
  tags: phpmyadmin,misconfig,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/phpmyadmin/index.php?db=information_schema"
      - "{{BaseURL}}/phpMyAdmin/index.php?db=information_schema"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "var db    =")'
          - 'contains(body, "information_schema")'
          - 'contains(body, "var opendb_url =")'
          - 'contains(body, "db_structure.php")'
        condition: and

      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "db:\"information_schema\"")'
          - 'contains(body, "opendb_url:\"db_structure.php\"")'
        condition: and

Relevant dumped responses

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
HTTP/1.1 401 Unauthorized
Date: Wed, 16 Jul 2025 14:34:50 GMT
Server: Apache/2
X-Powered-By: PHP/5.5.38
X-ob_mode: 1
WWW-Authenticate: Basic realm="phpMyAdmin localhost"
Expires: Wed, 16 Jul 2025 14:34:50 +0000
Cache-Control: no-store, no-cache, must-revalidate,  pre-check=0, post-check=0, max-age=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Upgrade: h2,h2c
Connection: Upgrade, close
Last-Modified: Wed, 16 Jul 2025 14:34:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7781

<!DOCTYPE HTML><html lang='en' dir='ltr'><head><meta charset="utf-8" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex,nofollow" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="viewport" content="width=device-width, initial-scale=1.0"><style id="cfs-style">html{display: none;}</style><link rel="icon" href="favicon.ico" type="image/x-icon" /><link rel="shortcut icon" href="favicon.ico" type="image/x-icon" /><link rel="stylesheet" type="text/css" href="./themes/pmahomme/jquery/jquery-ui.css" /><link rel="stylesheet" type="text/css" href="js/vendor/codemirror/lib/codemirror.css?v=4.9.7" /><link rel="stylesheet" type="text/css" href="js/vendor/codemirror/addon/hint/show-hint.css?v=4.9.7" /><link rel="stylesheet" type="text/css" href="js/vendor/codemirror/addon/lint/lint.css?v=4.9.7" /><link rel="stylesheet" type="text/css" href="phpmyadmin.css.php?nocache=4842544391ltr&amp;server=1" /><link rel="stylesheet" type="text/css" href="./themes/pmahomme/css/printview.css?v=4.9.7" media="print" id="printcss"/><title>Access denied!</title><script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery.min.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery-migrate.js?v=4.9.7"></script>
<script data-cfasync='false' type='text/javascript' src='js/whitelist.php?v=4.9.7&amp;lang=en'></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/sprintf.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/ajax.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/keyhandler.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery-ui.min.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/js.cookie.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery.mousewheel.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery.event.drag-2.2.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery.validate.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery-ui-timepicker-addon.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery.ba-hashchange-1.3.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/jquery/jquery.debounce-1.0.5.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/menu-resizer.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/cross_framing_protection.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/rte.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/tracekit.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/error_report.js?v=4.9.7"></script>
<script data-cfasync='false' type='text/javascript' src='js/messages.php?l=en&amp;v=4.9.7&amp;lang=en'></script>
<script data-cfasync="false" type="text/javascript" src="js/config.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/doclinks.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/functions.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/navigation.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/indexes.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/common.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/page_settings.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/shortcuts_handler.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/codemirror/lib/codemirror.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/codemirror/mode/sql/sql.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/codemirror/addon/runmode/runmode.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/codemirror/addon/hint/show-hint.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/codemirror/addon/hint/sql-hint.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/vendor/codemirror/addon/lint/lint.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/codemirror/addon/lint/sql-lint.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript" src="js/console.js?v=4.9.7"></script>
<script data-cfasync="false" type="text/javascript">// <![CDATA[
PMA_commonParams.setAll({common_query:"?lang=en",opendb_url:"db_structure.php",lang:"en",server:"1",table:"",db:"information_schema",token:"23714c7a613a5f37582f37347d78234c",text_dir:"ltr",show_databases_navigation_as_tree:true,pma_text_default_tab:"Browse",pma_text_left_default_tab:"Structure",pma_text_left_default_tab2:false,LimitChars:"50",pftext:"",confirm:true,LoginCookieValidity:"1440",session_gc_maxlifetime:"1440",logged_in:false,is_https:false,rootPath:"/phpmyadmin/",arg_separator:"&",PMA_VERSION:"4.9.7",auth_type:"http",user:"root"});
ConsoleEnterExecutes=false
AJAX.scriptHandler.add("vendor/jquery/jquery.min.js",0).add("vendor/jquery/jquery-migrate.js",0).add("whitelist.php",1).add("vendor/sprintf.js",1).add("ajax.js",0).add("keyhandler.js",1).add("vendor/jquery/jquery-ui.min.js",0).add("vendor/js.cookie.js",1).add("vendor/jquery/jquery.mousewheel.js",0).add("vendor/jquery/jquery.event.drag-2.2.js",0).add("vendor/jquery/jquery.validate.js",0).add("vendor/jquery/jquery-ui-timepicker-addon.js",0).add("vendor/jquery/jquery.ba-hashchange-1.3.js",0).add("vendor/jquery/jquery.debounce-1.0.5.js",0).add("menu-resizer.js",1).add("cross_framing_protection.js",0).add("rte.js",1).add("vendor/tracekit.js",1).add("error_report.js",1).add("messages.php",0).add("config.js",1).add("doclinks.js",1).add("functions.js",1).add("navigation.js",1).add("indexes.js",1).add("common.js",1).add("page_settings.js",1).add("shortcuts_handler.js",1).add("vendor/codemirror/lib/codemirror.js",0).add("vendor/codemirror/mode/sql/sql.js",0).add("vendor/codemirror/addon/runmode/runmode.js",0).add("vendor/codemirror/addon/hint/show-hint.js",0).add("vendor/codemirror/addon/hint/sql-hint.js",0).add("vendor/codemirror/addon/lint/lint.js",0).add("codemirror/addon/lint/sql-lint.js",0).add("console.js",1);
$(function() {AJAX.fireOnload("whitelist.php");AJAX.fireOnload("vendor/sprintf.js");AJAX.fireOnload("keyhandler.js");AJAX.fireOnload("vendor/js.cookie.js");AJAX.fireOnload("menu-resizer.js");AJAX.fireOnload("rte.js");AJAX.fireOnload("vendor/tracekit.js");AJAX.fireOnload("error_report.js");AJAX.fireOnload("config.js");AJAX.fireOnload("doclinks.js");AJAX.fireOnload("functions.js");AJAX.fireOnload("navigation.js");AJAX.fireOnload("indexes.js");AJAX.fireOnload("common.js");AJAX.fireOnload("page_settings.js");AJAX.fireOnload("shortcuts_handler.js");AJAX.fireOnload("console.js");});
// ]]></script><noscript><style>html{display:block}</style></noscript></head><body id='loginform'><noscript><div class="error"><img src="themes/dot.gif" title="" alt="" class="icon ic_s_error" /> Javascript must be enabled past this point!</div></noscript><div id="page_content"><h1>Welcome to  phpMyAdmin</h1><h3><div class="error"><img src="themes/dot.gif" title="" alt="" class="icon ic_s_error" /> Wrong username/password. Access denied.</div></h3></div></body></html>

Anything else?

No response

Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
phpMyAdmin 未授权访问漏洞
http://example.com/2025/07/18/github_3093538111/
作者
lianccc
发布于
2025年7月18日
许可协议