.--------------.-----------------------------------------------.---------------.
|Nice Name Crew | | 30.August.2007|
.---------------.----------------------------------------------.---------------.
PhpMyAdmin - Hacking and Security Issues
This is the first paper released under the NNC crew label.
Here is a little intro in what this paper is and what we are going to cover.
Talking about Phpmyadmin, we all know it is pretty common application for
Database-Management.
I would consider it a high risk application if not set up properly.
I will now give you a Intro to the structure of phpmyadmin, and its weaknesses.
Afterwards we are going to take a look at counter meashures.
Lets start with the structure and how to find out if it is running on a host.
Lets assume we are in a test-network with a webserver running a website
and having a phpmyadmin installation.
As we all know one of the first steps in security audits is to take a look
at the structure of the network and then check if there are any weaknesses.
However, the phpmyadmin security holes have been exploited a lot by members
of the so called "Fxp-Scene".
They will do mass-scans to find open and/or weak phpmyadmin installations.
by doing a http get and checking if the request works.
In the early days when pma hacks became popular they would do simple requests
for the path /phpmyadmin/index.php and checking if it returned a 200 - Ok.
But later on, when it became more and poplular there were lots of kids
deleting the index file and then they had to look for other ways to
check if there was pma on the server.
So they discovered that checking for phpinfo.php would do the job perfectly
and that they could even suck host infos out of that.
Now lets check what paths i have used to identify phpmyadmin installations:
/phpmyadmin/index.php
/phpmyadmin/phpinfo.php
/phpmyadmin/left.php
/phpmyadmin/main.php
/phpmyadmin/db_create.php
Now theese are the most common ones but there are also other good ones.
Just take a look at the directory content and then decide what you are
are going to check (there is a filename for everybody).
As i said the fxp kids were looking for the phpinfo file and then sucking
infos out of it.
You may ask what they need the infos for if they are already having access
to the database. Well, the reason why this information is useful, is that
phpinfo.php contains many usefull information.
For hacking phpmyadmin i suggest you look out for the following:
(this is copy pasted from one of my test servers)
Configuration File (php.ini) Path /srv/www/v10899/etc/php.ini
System Linux 2.6.14.3-051207a #1 SMP Wed Dec 7 12:17:16 CET 2005 x86_64
DOCUMENT_ROOT /var/www/v10899/htdocs/somehost.domain/www
There are a lot of other good ways to gain info on the server but theese are
the most popular ones. The configuration file is interesting because it
sometimes gives you information about the webroot.
The system info gives you additional information about the webroot and the
server configuration (in additon to the document root).
Now you got to ask yourself about the following:
How did the vendor react to the fact that kids exploited this?
Well there is only one logical fix right? aehhh... not really,
but they figured out if they blank out the phpinfo so you cant access it
without problems it may fix this issue.(i do not know if its a offical fix
or just a popular fix by many server-package vendors
(ie xampp/lampp from apachefriends team).
I will now take the easy way around to explain you how to hack a phpmyadmin
installation. Let us assume we are on a windows server with a default xampp
configuration (the most common form... user installs the software, erases the
content of the webroot without going thru the setup/security wizard.
Now the server is wide open (please note that this is also a problem if you
just have a weak server configuration, so its not a xampp specific bug).
Here is the scenario(real world):
Some friend of mine invited me over to to check his company's network.
I discovered a "Windows 2003" -server with a weak configuration of xampp.
This was found by doing a port 80 scan to check if there where alive hosts)
and then i checked the webserver i found (looking up various directories).
/xampp/ & /security/ and of corse /phpmyadmin/
At that time it was not protected in any way (and the mysql user had no password)
So i could access the database directly and execute commands through phpmyadmin.
I created a database called "help" and then wrote some data into the database.
The data written was php code. I can imagine you guys know already what happend
next. The only thing i need to say is "into dumpfile".
You get the point? I think now you will understand why there is a need to get
your hands onto the path to the webroot. because you want your php file
within the webroot.
I will give you two php-shells that are prepared for injection already.
they will be in sql1.txt and sql2.txt
In case somebody reposts this or does not have thoose files please
send me a mail to naxx at chilloutzone.eu or go to nnc.unkn0wn.eu !
Once this has been done and your attempt was sucessful you can access
the php-shell thru your browser giving you the ability to execute code
on the server or browse through the files.
The attack described is the most basic attack that you can do on phpmyadmin.
Now for the counter mesashures. Delete phpinfo or blank out php info files.
This has been proven to be very effektiv to prevent script kiddie attacks,
however the skilled reader knows that a attacker will not only check for
the one path, he may also check other paths where phpinfos could be found
ie http://yoursite.com/phpinfo.php or http://yoursite.com/xampp/phpinfo.php
Lets say the phpinfo has been deleted.
The kid may go to one of the following paths to retrieve the webroot
(only works if phpinfo is deleted in most cases):
http://ip/phpmyadmin/libraries/check...ileges.lib.php
http://ip/phpmyadmin/libraries/common.lib.php
http://ip/phpmyadmin/libraries/datab...erface.lib.php
http://ip/phpmyadmin/libraries/db_table_exists.lib.php
http://ip/phpmyadmin/libraries/displ...tabase.lib.php
http://ip/phpmyadmin/libraries/display_export.lib.php
http://ip/phpmyadmin/libraries/mcrypt.lib.php
http://ip/phpmyadmin/libraries/relation_cleanup.lib.php
http://ip/phpmyadmin/libraries/select_lang.lib.php
http://ip/phpmyadmin/libraries/select_theme.lib.php
http://ip/phpmyadmin/libraries/sqlparser.lib.php
http://ip/phpmyadmin/libraries/storage_engines.lib.php
http://ip/phpmyadmin/libraries/string.lib.php
If the phpinfo is blank (not deleted but just not showing any info)
there is a little trick.
Go to: http://yoursite.com/phpmyadmin/server_variables.php?
In there you will find relevant info about the server:
I personally like to check for the basedir:
basedir \xampp\mysql\
This shows us that there is a xampp installation running.
or gives us the path to mysql on linux (ie if its /opt/lampp/mysql
you only need to replace the mysql with htdocs) and got your directory.
Now we reached the point of how to gather information about phpmyadmin.
Well here is something i found very useful:
Check the server Version:
5.0.45-community-nt indicates xampp
MySQL 4.0.27-standard-log mosty indicates unix
There is also serveral other ones around depending on the server and
mysql configuration.
I suggest you do some research on your own about this topic because it changes
rapidly.
Now for the unix problem:
I know about that problem with unix servers where you dont find a place to
set your shell too. There are several cool tools that check directories
on the server if they exist or not.
I found i was having reat success with sqlliteadmin/ tmp/ images/ ......
I think we are at the point where you should have a fair overview about how
phpmyadmin hacking works and the most common counter measures
(asin deleting or blanking out phpinfo.php)
However In the wild if a fxp kid has "hacked" a server.
It would be at the state of phpmyadmin found, shell injected, ftpd running.
They where pretty clever with with securing the servers so that they couldnt
get rehacked. This goes from deleting some files like read_dump.php or sql.php
up to deleting the whole phpmyadmin folder.
Admins have another point of view. For them it is not about getting rehacked,
its about not getting hacked so they will set sql user and passwords,
put a .htaccess file in the pma folder and other funny stuff.
However if you have a password authentification to protect pma,
it is good and clever but as we all know it does not take a lot of time
to bruteforce weak passwords.
Sometimes admins dont use htaccess because they feel save with just having the
standart phpmyadmin sec. stuff, but did any of you create a config.inc.bac
or config.bak or any sort of backup on your server? if so i would go and delete
it right now, just to prevent bad things happening.
Also i have seen a lot of phpmyadmin installations where pma has been installed
and used for a short time and afterwards php was removed.
In that case config.inc.php may hold useful information about passwords.
I cannot count the number of cases where i found the password for the admin
account match the password that i got out of the config file.
For my part i think you are quite well informed about how pma hacks happen
and what you can do to fight em now. But seriously i know that for every measure
any of us (reader or author), comes up with, there is no real chance of not getting
hacked because if its not pma it may be just another bug that gets exploited.
Cheers
#Written by naxx (at) chilloutzone.eu
#for Nice Name Crew ( http://nnc.unkn0wn.eu )
http://nicenamecrew.com/papers/pma/sql1.txt
http://nicenamecrew.com/papers/pma/sql2.txt
Ergebnis 1 bis 1 von 1
-
20.11.2007, 11:32 #1Tsutomu Shimomura
- Registriert seit
- 15.02.2006
- Beiträge
- 1.549
[B] PhpMyAdmin - Hacking and Security Issues
Zitieren
