MySQL Lists are EOL. Please join:

List:General Discussion« Previous MessageNext Message »
From:shawn l.green Date:April 17 2019 7:12pm
Subject:Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL
Injectable using sqlmap?
View as plain text  
Hello,

On 4/17/2019 10:29 AM, Turritopsis Dohrnii Teo En Ming wrote:
> Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL
> Injectable using sqlmap?
>
> Good evening from Singapore,
>
> Our customer (company name is Confidential/not disclosed) reported that their MySQL
> database has been found missing or was deleted a few times.

While it is bad form to explain how to break into anyone's software 
(including our own), there are places you can look to get a better idea 
about what might have happened:

1 - the database may have been removed by a DROP DATABASE command.

General Query Log - this will show you which session issued the command 
and the command itself.

Audit log (only for commercial releases) - same thing

Binary Log - Should have a record of the command executing. But, 
depending on which account was used or if Binary Log filtering is in 
place, it may not. This presumes that the Binary Log is even enabled on 
this system.  Many people mistakenly believe it is only for Replication 
when its other primary use is for point-in-time recovery. If your 
customer has a recent backup and all of the Binary Log files created 
since that backup, they could return the system to the point it was at 
just before that database went missing, skip that DROP command, then 
continue rolling forward the changes to the other tables to return to a 
"current" state of their data.

2 - The database was "dropped" by either changing privileges to the 
folder or by removing it from disk or some other file-level or 
system-level operation. Either of those would cause errors to start 
appearing in the MySQL Error Log because a resource that mysqld thinks 
should exist is no longer available.   While the Error Log can't tell 
you which operation made those files "no longer available" it will have 
a fingerprint that such an action happened outside of mysqld.


Have you determined which method was used to make that database/schema 
disappear?

A normal DROP command (which could happen through an SQL injection 
attack) would not leave messages in the Error Log about "unable to 
access ..." or something similar. The server (mysqld) would know that 
the database was gone (because it removed it) and it wouldn't be trying 
to find it or the tables within it for your clients to use it.


>
> ... snip ...
> No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is
> *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The
> following is one of the many sqlmap commands I have used.
>
> $ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1
> --dbms=mysql --sql-query="drop database"
>

Privately asking phpMyAdmin may be a better source of information about 
how to hack their system to do things it was not intended to do. This 
list is not about phpMyAdmin and it is very public.  They may also have 
a way of showing you some kind of trace or log that serves as a 
fingerprint for that happening.


-- 
Shawn Green
MySQL Senior Principal Technical Support Engineer
Oracle USA, Inc. - Integrated Cloud Applications & Platform Services
Office: Blountville, TN

Become certified in MySQL! Visit https://www.mysql.com/certification/ 
for details.
Thread
How do I determine if versions of phpMyAdmin before 4.8.5 is SQLInjectable using sqlmap?Turritopsis Dohrnii Teo En Ming17 Apr 2019
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQLInjectable using sqlmap?shawn l.green17 Apr 2019