PMA (or phpMyAdmin) is a well-known MySQL front-end written in PHP that brings MySQL to the web as stated on the web site[1]. The tool is very popularamongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common findingin many penetration tests to find an old PMA interface left byan admin.
Even if PMA restricts access with a login page, there is a lack of protection against brute-force padding:5px 10px”>
$ patator http_fuzz url=http://www.acme.org/pma/index.php
method=POST
body=pma_username=adminpma_password=COMBO00server=1target=index.phplang=entoken=
0=dictionary.txt
before_urls=http://www.acme.org/pma/index.php
accept_cookie=1
follow=1
-x ignore:fgrep=Cannot log in to the MySQL server padding:5px 10px”>
Directory /pma
order deny,allow
deny from all allow from 10.0.0.1
allow from 10.0.0.2
/Directory
[1]https://www.phpmyadmin.net/
[2]https://github.com/lanjelot/patator
[3]https://www.cvedetails.com/vulnerability-list/vendor_id-784/cvssscoremin-7/cvssscoremax-7.99/Phpmyadmin.html
Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.