Dziura w XAMPP - user PMA bez hasla

[Rybak112]

Podobno da się zawładnąć serwerem z zainstalowanym xamppem przez luke w zabezpieczeniach xamppa - a dokladniej, usera PMA bez hasla. tu cytat:

I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

The user pma has more permissions than it should have.

I teraz o jakie uprawnienia chodzi? Szukalem ale nigdzie nie idzie tego znaleźć.

[TQM]

Najprosciej zainstaluj XAMPP i sam sprawdz o co chdzi

[Rybak112]

mam zainstalowanego. Próbowałem coś zrobić, ale nic nie wychodzi. probowalem przez SELECT 'kod shella' INTO OUTFILE c:\xampp~, ale user PMA nie ma do tego uprawnień - jedno wiem, na 100% da się jakoś wykorzystać PMA żeby zdobyć roota, bno juz widziałem takie przypadki.

[GSG-9]

The user pma has more permissions than it should have.

Kod:

SELECT 'kod shella' INTO OUTFILE c:\xampp~

nie sadzisz ze nie chodzi o windowsa?

[adamus_1234]

Damn I am so interested about this, doesn't anybody know how to use this PMA user? I know they can gain root password with it.

I found only this, but I dont know how to use it in Xampp for windows.
http://bugs.gentoo.org/show_bug.cgi?id=88831

[TQM]

I know they can gain root password with it.
I found only this, but I dont know how to use it in Xampp for windows.

root in windows - good luck!

[adamus_1234]

root in windows - good luck!

Well, I mean the user root in Phpmyadmin which comes with Xampp. Seriously nobody doesn't know? I know PMA user has these rights:

GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma'@'localhost';

[Cwenu]

UPDATE user SET password=PASSWORD("the-new-root-password") WHERE User='root';
flush privileges;

[adamus_1234]

UPDATE user SET password=PASSWORD("asdasd") WHERE User='root';

#1146 - Table 'phpmyadmin.user' doesn't exist

Had to delete the part with the "FLUSH" command, because it seems that we can't "FLUSH" with user PMA.

Then I decided to add this "#" before the command. Managed to run the query, but when I tried to login, it didn't work

Your SQL query has been executed successfully

C'mon guys, let's solve this. There seems to be lot of people to know about it in other forums, but they are selfish! Haha!

[Cwenu]

surely noone will put it on public board cos they dont want do just every1 to know, I honestly dunno cos I never tried it, maybe u re trying on already secured server?

i found

========================================
Beating so called "secured" PMA servers
By: Ian Cummings aka d2mmn
=======================================
iNLiZE CreW
=======================================
Say we come across a site running phpmyadmin with default user. We get inside, and click PHP-Information, and we get a 421 error. Or perhaps PHP-Information isn't even present. Lets see if we can get around that. Click on "Databases". Then once the screen loads click the "Variables" tab on top. Scroll down a little ways until you come across this line:

basedir:

Here it tells us where the mysql is running (ex. basedir c:\wamp\mysql\) Now, lets say we wanted to exploit this. Our only reason to gather the directory of PMA is to write our shell to a .php file. So lets take a couple guesses:

c:\wamp\phpmyadmin\
c:\wamp\www\phpmyadmin\


We use those directories when trying to write our shell, and we get success! A little bit of luck and guessing and we are in. This will not work on all PMA's and probably won't work on many. However, just another vulnerability involved if you leave your PMA with default root user.

-d2

p.s. Sorry if this is in the wrong forum, wasn't exactly sure where to put it.

Go to Privileges>edit root>localhost

Check out the section below that's called Change Login Information / Copy User

Should be the following:
User name:>Use text field:>root
Host:>local>localhost
Password: Choices>Do not change password>No password>Use text field
Select No Password - to delete your current password
Select Use text field - to change the password
The other choice is self explanatory.

config.inc.php
$cfg['Servers'][$i]['password'] = 'NEW_ROOT_PASSWORD';