漏洞信息
漏洞名称: phpmyadmin Data Exposure
漏洞类型: 未授权访问
漏洞等级: 中危
漏洞描述: 该漏洞涉及phpMyAdmin,一个广泛使用的开源数据库管理工具,主要用于通过Web界面管理MySQL数据库。phpMyAdmin通常部署在需要远程管理数据库的服务器上,是许多网站和应用程序的常用组件。
漏洞类型为未授权访问,技术根源在于phpMyAdmin实例未正确配置身份验证机制,导致攻击者无需认证即可访问敏感信息。具体表现为,攻击者可以通过构造特定的URL路径直接访问数据库信息,如information_schema数据库,从而获取数据库结构等敏感数据。
此漏洞的安全风险主要在于敏感信息泄露,攻击者可以利用未授权的访问权限获取数据库中的敏感信息,如数据库结构、表数据等,进而可能进行更深入的攻击。由于漏洞利用无需认证,且可以通过自动化工具批量扫描存在漏洞的实例,因此风险较高。
产品厂商: phpmyadmin
产品名称: phpmyadmin
搜索语法: http.title:phpMyAdmin, http.title:”phpmyadmin”, http.component:”phpmyadmin”, cpe:”cpe:2.3:a:phpmyadmin:phpmyadmin”, body=”pma_servername” && body=”4.8.4”, title=”phpmyadmin”
来源: https://github.com/projectdiscovery/nuclei-templates/blob/8adf3624ca40677ee677f49b4590babade5578d4/http%2Fmisconfiguration%2Fphpmyadmin%2Fphpmyadmin-misconfiguration.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
id: phpmyadmin-misconfiguration
info:
name: phpmyadmin Data Exposure
author: pussycat0x
severity: medium
description: |
An unauthenticated instance of phpmyadmin was discovered, which could be leveraged to access sensitive information.
reference:
- https://www.exploit-db.com/ghdb/6997
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
metadata:
max-request: 2
vendor: phpmyadmin
product: phpmyadmin
shodan-query:
- "http.title:phpMyAdmin"
- http.title:"phpmyadmin"
- http.component:"phpmyadmin"
- cpe:"cpe:2.3:a:phpmyadmin:phpmyadmin"
fofa-query:
- body="pma_servername" && body="4.8.4"
- title="phpmyadmin"
tags: phpmyadmin,misconfig,edb
flow: http(1) || http(2)
http:
- method: GET
path:
- "{{BaseURL}}/phpmyadmin/index.php?db=information_schema"
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code == 200
- regex("var\\s+db\\s*=\\s*\'information_schema\'",body)
- regex("var\\s+opendb_url\\s*=\\s*\'db_structure\\.php\'",body)
condition: and
- type: dsl
dsl:
- 'contains(body, "name=\\\"login_form\\\"")'
- 'contains(body, "id=\\\"input_username\\\"")'
condition: and
negative: true
- method: GET
path:
- "{{BaseURL}}/phpMyAdmin/index.php?db=information_schema"
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code == 200
- regex("var\\s+db\\s*=\\s*\'information_schema\'",body)
- regex("var\\s+opendb_url\\s*=\\s*\'db_structure\\.php\'",body)
condition: and
- type: dsl
dsl:
- 'contains(body, "name=\\\"login_form\\\"")'
- 'contains(body, "id=\\\"input_username\\\"")'
condition: and
negative: true
|