ISC Stormcast For Tuesday, August 8th 2017 https://isc.sans.edu/podcastdetail.html?id=5616

Increase of phpMyAdmin scans

Published: 2017-08-07. Last Updated: 2017-08-07 08:08:08 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

PMA (or "phpMyAdmin") is a well-known MySQL front-end written in PHP that "brings MySQL to the web" as stated on the web site[1]. The tool is very popular amongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common finding in many penetration tests to find an old PMA interface left by an admin.

Even if PMA restricts access with a login page, there is a lack of protection against brute-force attacks. One of my favourite tool to perform such attack is Patator[2].

$ patator http_fuzz url=http://www.acme.org/pma/index.php \ 
method=POST \ 
body="pma_username=admin&;pma_password=COMBO00&server=1&target=index.php&lang=en&token= \ 
0=dictionary.txt \ 
before_urls=http://www.acme.org/pma/index.php \ 
accept_cookie=1 \ 
follow=1 \ 
-x ignore:fgrep="Cannot log in to the MySQL server"

Today, I detected an increasing amount of attempts to find PMA interfaces against my honeypots. Here is an extract of the tested URLs:

/mysql/admin/
/mysql/dbadmin/
/mysql/sqlmanager/
/mysql/mysqlmanager/
/phpmyadmin/
/phpMyadmin/
/phpMyAdmin/
/phpmyAdmin/
/phpmyadmin2/
/phpmyadmin3/
/phpmyadmin4/
/2phpmyadmin/
/phpmy/
/phppma/
/myadmin/
/phpmyadmin/
/PMA/
/dbadmin/
/pma/
/db/phpmyadmin/
/db/phpMyAdmin/
/sqlmanager/
/mysqlmanager/
/php-myadmin/
/phpmy-admin/
/mysqladmin/
/mysql-admin/
/admin/phpmyadmin/
/admin/phpMyAdmin/
/admin/sysadmin/
/admin/sqladmin/
/admin/db/
/admin/web/
/admin/pMA/
/mysql/pma/
/mysql/pMA/
/sql/phpmanager/
/sql/php-myadmin/
/sql/phpmy-admin/
/sql/myadmin/
/sql/webadmin/
/sql/sqlweb/
/sql/websql/
/sql/webdb/
/sql/sqladmin/
/sql/sql-admin/
/sql/phpmyadmin2/
/sql/phpMyAdmin2/
/sql/phpMyAdmin/
/db/myadmin/
/db/webadmin/
/db/websql/
/db/dbadmin/
/db/db-admin/
/db/phpmyadmin3/
/db/phpMyAdmin3/
/db/phpMyAdmin-3/
/administrator/phpmyadmin/
/administrator/phpMyAdmin/
/administrator/pma/
/administrator/PMA/
/phpMyAdmin2/
/phpMyAdmin3/
/phpMyAdmin4/
/phpMyAdmin-3/
/php-my-admin/
/PMA2011/
/PMA2012/
/PMA2013/
/PMA2014/
/PMA2015/
/PMA2016/
/PMA2017/
/PMA2018/
/pma2011/
/pma2012/
/pma2013/
/pma2014/
/pma2015/
/pma2016/
/pma2017/
/pma2018/
/phpmyadmin2011/
/phpmyadmin2012/
/phpmyadmin2013/
/phpmyadmin2014/
/phpmyadmin2015/
/phpmyadmin2016/
/phpmyadmin2017/
/phpmyadmin2018/
/phpmanager/

Also, older releases of phpMyAdmin have multiple known vulnerabilities[3]. Databases are critical components in most modern web applications. If there is a lack of protection, it should be possible to access other (internal? confidential?) databases from a compromised phpMyAdmin. My advice is to simply NOT expose these administration tools to the wild Internet and, if it is required, to not rely on the default protection mechanisms. A simple extra protection layer is to restrict access to internal hosts or VPNs with an IP access-list. An example with Apache:

<Directory "/pma">
    order deny,allow
    deny from all allow from 10.0.0.1
    allow from 10.0.0.2
</Directory>

[1] https://www.phpmyadmin.net/
[2] https://github.com/lanjelot/patator
[3] https://www.cvedetails.com/vulnerability-list/vendor_id-784/cvssscoremin-7/cvssscoremax-7.99/Phpmyadmin.html

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: bruteforce database mysql phpmyadmin pma
1 comment(s)
ISC Stormcast For Monday, August 7th 2017 https://isc.sans.edu/podcastdetail.html?id=5614

Comments

Login here to join the discussion.


Diary Archives