How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
17 Apr
2019
17 Apr
'19
10:57 a.m.
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable
using sqlmap?
Good evening from Singapore,
Our customer (company name is Confidential/not disclosed) reported that their MySQL
database has been found missing or was deleted a few times. They are using Ubuntu 16.04
LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP).
We responded to these security incidents by changing the passwords of the regular user,
root user, and MySQL database user root. We have also examined /var/log/auth.log and think
that the hacker could not have come in through ssh or sftp over ssh. From
/var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at
certain timings. We have also found nothing abnormal after examining
/var/log/apache2/access.log.
Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was
still able to delete our customer's MySQL database again and again. I have already
proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend
against web application attacks but my boss has told me to put that on hold at the moment.
In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server
and found that it actively detects and logs Nessus and sqlmap vulnerability scans in
blocking mode.
Since we did not find any evidence that the hacker had breached our customer's Ubuntu
16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could
have achieved it by SQL injection. I took the initiative of downloading and installing
Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report
generated by Nessus Web Application Tests shows that our customer is using a version of
phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer
feature.
Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable.
I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a
Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version
was reported to be vulnerable to SQL injection using the designer feature, and our
customer is using a vulnerable version, according to CVE-2019-6798 (
https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute
sqlmap on our Ubuntu Linux desktop against our Testing server.
No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL
injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is
one of the many sqlmap commands I have used.
$ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1"
--level=1 --dbms=mysql --sql-query="drop database"
Replace database by database name.
May I know what is the correct sqlmap command that I should use to determine that my
Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully
drop/delete the Testing database on our Testing server. If I can successfully drop/delete
the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must
have carried out SQL injection to drop/delete the customer's database. I have already
turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow
sqlmap to go through.
Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not
understand SQL injection well enough. Our customer is also using a customised in-house
inventory management system that relies on PHP application and MySQL database.
Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System
(IPS) be able to detect and block SQL injection as well?
Please advise.
Thank you very much.
-----BEGIN EMAIL SIGNATURE-----
The Gospel for all Targeted Individuals (TIs):
[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers
Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
********************************************************************************************
Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-----END EMAIL SIGNATURE-----
17 Apr
17 Apr
1:28 p.m.
Hi,
Thanks for writing. You've touched on a lot of areas here and I'll try
my best to answer your questions.
For finding old security vulnerabilities, the best resources are the
ChangeLog (https://github.com/phpmyadmin/phpmyadmin/blob/master/ChangeLog
and https://github.com/phpmyadmin/history/tree/master/ChangeLogs) and
our security announcements page
(https://www.phpmyadmin.net/security/).
The specific vulnerability with 4.8.4 is PMASA-2019-02
(https://www.phpmyadmin.net/security/PMASA-2019-2/) which is indeed an
SQL injection vulnerability in Designer. If I remember correctly the
details of the attack, specially-crafted username can be used to
exploit this, so an attacker would need to be able to create the
specially-crafted username through some exploit of some other software
or by using a valid MySQL account with proper permissions. The attack
is then triggered by an authorized user accessing the Designer
feature.
Accessing phpMyAdmin would normally leave a trail in the Apache access
logs, so if you didn't see anything suspicious or relevant at the time
of attack it seems less likely that phpMyAdmin would have been used in
the attack.
I'm not familiar with using sqlmap in this capacity but, based on the
attack vector of the Designer attack, assume that you'd have to log in
with a valid user account and use that established session in testing
the exploit. I can't think of a way to actually do that, though.
As far as using and configuring Snort, this is not my area of
expertise so I'll pass on giving any specific advice. My understanding
is that you can detect SQL injection attacks using Snort, though.
I hope this information is of help to you,
Isaac
On Wed, Apr 17, 2019 at 9:58 AM Turritopsis Dohrnii Teo En Ming
<ceo(a)teo-en-ming-corp.com> wrote:
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL
Injectable using sqlmap?
Good evening from Singapore,
Our customer (company name is Confidential/not disclosed) reported that their MySQL
database has been found missing or was deleted a few times. They are using Ubuntu 16.04
LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP).
We responded to these security incidents by changing the passwords of the regular user,
root user, and MySQL database user root. We have also examined /var/log/auth.log and think
that the hacker could not have come in through ssh or sftp over ssh. From
/var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at
certain timings. We have also found nothing abnormal after examining
/var/log/apache2/access.log.
Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was
still able to delete our customer's MySQL database again and again. I have already
proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend
against web application attacks but my boss has told me to put that on hold at the moment.
In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server
and found that it actively detects and logs Nessus and sqlmap vulnerability scans in
blocking mode.
Since we did not find any evidence that the hacker had breached our customer's Ubuntu
16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could
have achieved it by SQL injection. I took the initiative of downloading and installing
Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report
generated by Nessus Web Application Tests shows that our customer is using a version of
phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer
feature.
Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL
injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL
database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4
because this version was reported to be vulnerable to SQL injection using the designer
feature, and our customer is using a vulnerable version, according to CVE-2019-6798 (
https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute
sqlmap on our Ubuntu Linux desktop against our Testing server.
No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT*
SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following
is one of the many sqlmap commands I have used.
$ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1"
--level=1 --dbms=mysql --sql-query="drop database"
Replace database by database name.
May I know what is the correct sqlmap command that I should use to determine that my
Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully
drop/delete the Testing database on our Testing server. If I can successfully drop/delete
the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must
have carried out SQL injection to drop/delete the customer's database. I have already
turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow
sqlmap to go through.
Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not
understand SQL injection well enough. Our customer is also using a customised in-house
inventory management system that relies on PHP application and MySQL database.
Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System
(IPS) be able to detect and block SQL injection as well?
Please advise.
Thank you very much.
-----BEGIN EMAIL SIGNATURE-----
The Gospel for all Targeted Individuals (TIs):
[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers
Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
********************************************************************************************
Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-----END EMAIL SIGNATURE-----
_______________________________________________
Developers mailing list
Developers(a)phpmyadmin.net
https://lists.phpmyadmin.net/mailman/listinfo/developers
1970
days inactive
1970
days old
1 comments
2 participants
participants (2)
-
Isaac Bennetch -
Turritopsis Dohrnii Teo En Ming