.--------------.----------------------------------------------.----------------.
|Nice Name Crew|                                              |4.September.2007|
.--------------.----------------------------------------------.----------------.



                       PhpMyAdmin - Advanced Hacking 


This is the second paper released under the NNC - Crew label.
We will cover advanced phpmyadmin hacking technique, and then take a look at
some default mysql security issues that can be exploited thru phpmyadmin!
To get started we will give you a few more file names of phpmyadmin that can
be used to detect installations and some of em will even give you information
about the web-root! (these have been sent in by readers of the first paper)
 libraries/string.lib.php
 libraries/storage_engines.lib.php
 libraries/sqlparser.lib.php
 libraries/sql_query_form.lib.php
 libraries/select_theme.lib.php
 libraries/select_lang.lib.php
 libraries/relation_cleanup.lib.php
 libraries/left_header.inc.php
 libraries/import.lib.php
 libraries/header_meta_style.inc.php
 libraries/grab_globals.lib.php
 libraries/get_foreign.lib.php 
 get_foreign.lib.php?field=foo&foreigners[foo]=foo
 libraries/display_tbl_links.lib.php 
 display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo
 libraries/display_import.lib.php
 libraries/display_export.lib.php
 libraries/display_create_table.lib.php
 libraries/display_create_database.lib.php
 libraries/db_table_exists.lib.php
 libraries/database_interface.lib.php
 libraries/common.lib.php
 libraries/check_user_privileges.lib.php
 libraries/charset_conversion.lib.php 
 charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true
 libraries/sqlvalidator.lib.php 
 libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE
 libraries/import/sql.php
 libraries/fpdf/ufpdf.php
 libraries/auth/cookie.auth.lib.php 
 libraries/auth/cookie.auth.lib.php?coming_from_common=true


Speaking of files, how about some more folders that contain phpmyadmin?
We recommend you to add these to your Security tools.
 /admin/
 /admin/pma/
 /admin/phpmyadmin/
 /db/
 /dbadmin/
 /myadmin/
 /mysql/
 /mysqladmin/
 /typo3/phpmyadmin/
 /phpadmin/
 /phpmyadmin/
 /phpmyadmin1/
 /phpmyadmin2/
 /p/m/a/
 /pma/
 /phpMyAdmin-2.2.3/
 /phpMyAdmin-2.2.7-pl1/
 /phpMyAdmin-2.5.6/
 /phpMyAdmin-2.5.7-pl1/
 /phpMyAdmin-2.6.0/
 /phpMyAdmin-2.6.0-pl3/
 /phpMyAdmin-2.6.0-pl3/
 /phpMyAdmin-2.6.1-pl3/
 /phpMyAdmin-2.6.3-pl1/
 /phpMyAdmin 2.6.4-pl4/
 /phpMyAdmin 2.7.0-beta1/
 /phpMyAdmin 2.7.0-rc1/
 /phpMyAdmin 2.7.0/
 /phpMyAdmin-2.6.4/
 /phpMyAdmin 2.7.0-pl1/
 /phpMyAdmin-2.2.7-pl1/
 /web/phpMyAdmin/
 /xampp/phpmyadmin/



We also expirenced some problems with missing files like sql.php
heres a fix for some problems , it will also fix some issues with so
called "localhost errors" where the phpmyinstallation is configured in a way
that says the server is localhost (instead of 127.0.0.1) and if you do anything
you will be sent to localhost/phpmyadmin/somefile.php instead of 10.0.0.1/phpmyadmin/somefile.php

<html><head><title>Phpmyadmin-Helper</title></head>
<body>
<form method="post" action="http://serverip/phpmyadmin/read_dump.php">
<input name="db" value="mysql" type="hidden">
<textarea rows="10" name="sql_query" cols="50"></textarea><br>
<input value="hack" type="submit">
</form>
</body></html>

We assume that you have the ability to read basic html and understand
what this little piece of code does, so there is no further need for explaination.
When looking at our files we discovered that we had a more complex version
of this around. (localhost.rar in the same dir like this paper)


Now for the topic of secure logins! Vicious and I know that we could unleash
a discussion about Secure passwords, authentication methods,algorithms and 
other things you never heard of , but lets keep it short lets keep it simple, lets keep it phpmyadmin!
A while back when i was messing around with phpmyadmin i discovered a few things 
i liked and a few things i didnt like.

Here is a snippet from the config.inc.php:
$cfg['Servers'][$i]['auth_type']     = 'config';    // Authentication method (valid choices: config, http, HTTP, signon or cookie)

if its set to config, well, bad choice!
if you set it to cookie, well another bad choice! the reason why is that if you ever
heard about xss and cookie stealers you know that theres already a possible weakness!
Taking a look at milw0rm revealed that there were already some xss holes found in phpmyadmin.
The other two ones look quite promising, do they? - NO NO NO
Here lays one of the worst weaknesses in phpmyadmin I have ever seen.
Looking back at the first paper, i wrote that if you use a .htaccess file
in your phpmyadmin folder it will give you some feeling of security, 
but since bruteforce attacks are pretty common nowdays its a potential risk too!
Taking a look at the http authentication is simple. 
If you turn it on and then reload the page in your Browser you will notice that a little http-Authentication window pops up
and asks you for a username and password. But it is not any built-in account or password you are prompted for! 
OH NO - its your username and password for the database. 
Therefore its pretty simple to get access to the system if you notice it.
Just bring up your favorite bruteforce tool set the username to root and load a LONG password list.
You are ready to go, just bruteforce the password of the root account of the mysql database.
Even .htpassword is more secure! because it gives you someuser:somepassword you set for the phpmyadmin folder and not
the root user password for the mysql server.
Because if the attack works and the password is guessed you are pretty fucked right away!



Here are some more facts about phpmyadmin hacking.
By the time it was popular in the fxp scene, there were some scantools developed for it, i will give you a list of em now.
(this is only a list of names, do not ask us to provide you with the tools or source codes for any malicous programs)
At first dfind -req was used to find /phpmyadmin/index.php files.
Later on a few coders wrote semi-professional tools for it. A guy who calls himself phraze wrote a tool called pmafind.
I have already seen a few tools called: pma.exe findpma.exe pma_find_gui(some delphi app + a hidden version of it)
Also there were Attempts to use a tool called Accessdriver to do a bruteforce attack on phpmyadmin 
but the kids found that it was not suitable for mass scanning/brutes so they came up with a tool called brutepma.
A simple tool written in c language that will just try a few standart passwords and usernames.


naxx set up a 'honeypot' for little kids,
(that would let em add the scripts to the database, but wont allow dumping or deleting it)
so we could get our hands onto some more scripts used by the kids! 
(We are not responsible for the contents of this file: smoresql.txt)


Now that we are mostly done with phpmyadmin holes and security issues we think it is our responsibility to inform you 
about a directory traversal in phpMyAdmin 2.6.4-pl1 that was discovered by a guy working under the handle cXIb8O3 
for the SecurityReason.com TEAM (Maksymilian Arciemowicz cxib@securtiyreason.com).


We here at nice name crew hope you enjoyed reading this paper and that you learned from it.
If you have any questions or Feedback, please send us an mail to naxx@chilloutzone.eu or vicious@chilloutzone.eu
We also suggest youll take a look at our homepage: http://www.nicenamecrew.com/
Cheers to all security freaks/monkeys out there....keep it nice ... keep it clean...keep it simple!
and also remember: if you make it idiotproof, somebody will make a better idiot!


So long.....Vic&Naxx