phpMyAdmin 数据泄露

漏洞信息

漏洞名称: phpMyAdmin 数据泄露

漏洞类型: 未授权访问

漏洞等级: 中危

漏洞描述: phpMyAdmin是一个广泛使用的开源数据库管理工具,主要用于通过Web界面管理MySQL数据库。它通常部署在需要数据库管理的Web服务器上,是开发者和数据库管理员的常用工具。由于其广泛的使用,phpMyAdmin的安全问题尤为重要。

该漏洞属于未授权访问类型,技术根源在于phpMyAdmin实例未正确配置身份验证,导致攻击者无需认证即可访问敏感信息。具体表现为,攻击者可以通过直接访问特定的URL路径(如/phpmyadmin/index.php?db=information_schema)来绕过登录界面,直接查看或操作数据库信息。

此漏洞的安全风险主要在于敏感信息的泄露,攻击者可以利用此漏洞获取数据库中的敏感数据,如用户凭证、个人信息等。由于漏洞利用无需认证,且可以通过自动化工具批量扫描存在漏洞的实例,因此风险较高。虽然漏洞本身不直接导致远程代码执行或服务中断,但泄露的信息可能被用于进一步的攻击。

产品厂商: phpmyadmin

产品名称: phpMyAdmin

搜索语法: http.title:phpMyAdmin, http.title:”phpmyadmin”, http.component:”phpmyadmin”, cpe:”cpe:2.3:a:phpmyadmin:phpmyadmin”, body=”pma_servername” && body=”4.8.4”, title=”phpmyadmin”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/75c44130978397d9d25a78531190d6afc0d7fdcd/http%2Fmisconfiguration%2Fphpmyadmin%2Fphpmyadmin-misconfiguration.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

id: phpmyadmin-misconfiguration

info:
  name: phpmyadmin Data Exposure
  author: pussycat0x
  severity: medium
  description: An unauthenticated instance of phpmyadmin was discovered, which could be leveraged to access sensitive information.
  reference:
    - https://www.exploit-db.com/ghdb/6997
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-200
  metadata:
    max-request: 2
    vendor: phpmyadmin
    product: phpmyadmin
    shodan-query:
      - "http.title:phpMyAdmin"
      - http.title:"phpmyadmin"
      - http.component:"phpmyadmin"
      - cpe:"cpe:2.3:a:phpmyadmin:phpmyadmin"
    fofa-query:
      - body="pma_servername" && body="4.8.4"
      - title="phpmyadmin"
  tags: phpmyadmin,misconfig,edb

flow: http(1) || http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/phpmyadmin/index.php?db=information_schema"

    matchers-condition: and
    matchers:
      - type: status
        internal: true
        status:
          - 200

      - type: word
        internal: true
        part: body
        words:
          - "var db    = 'information_schema';"
          - "var opendb_url = 'db_structure.php';"
        condition: and

      - type: word
        internal: true
        part: body
        words:
          - 'name="login_form"'
          - 'id="input_username"'
        negative: true
        condition: or

  - method: GET
    path:
      - "{{BaseURL}}/phpMyAdmin/index.php?db=information_schema"

    matchers-condition: and
    matchers:
      - type: status
        internal: true
        status:
          - 200

      - type: word
        part: body
        internal: true
        words:
          - "db:\"information_schema\""
          - "opendb_url:\"db_structure.php\""
        condition: and       

      - type: word
        internal: true
        part: body
        words:
          - 'name="login_form"'
          - 'id="input_username"'
        negative: true
        condition: or