Securin Zero-Days

The following vulnerability was tested on phpMyAdmin version 5.0.

Issue: SQL Injection with missing functional level access:

1. Log in to the phpMyAdmin GUI

2. Installed PhpMyAdmin (Version 5.0)

Figure 01: phpMyAdmin Installed Version 5.0.0

Figure 02: List of user accounts and privileges in the database.

Figure 03: Test user doesn’t have global privileges just for information.

Figure 04: “Test” user has all privilege to test the database only.

Figure 05: Log in to phpMyAdmin with “test” user credentials.

 Now, enable an http-based proxy on the browser to intercept the traffic to the server.

Figure 06: “Test” users don’t have enough privilege to view users and other databases.

Figure 07: The intercepted ajax call in the proxy is related to the user accounts page.

Figure 08: JavaScript file which related to server_privileges.php page Ajax calls.

Figure 09: JavaScript code, which is responsible for checking the existence of the username in the database.

Figure 10: The modified Ajax call which was intercepted in Burp with the required details to make validate_username

Figure 11: As per the privileges, the user shouldn’t be able to access this ajax call. But the server is giving a SQL error in the response. The response for the Ajax call confirms that the request is vulnerable to Missing Functional Level Access.

Figure 12: An unauthorized (test) user was able to control the SQL statement, which is responsible for validating username.

Figure 13: Difference in the responses of the previous request and the current request confirms the username field is vulnerable to SQL injection.