Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

["J. Hellenthal via Snort-users" <snort-users () lists snort org>]

Highly doubt this is the right mailing list for this.

Contact your local friendly developer 

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

> On Apr 17, 2019, at 09:09, Turritopsis Dohrnii Teo En Ming <ceo () teo-en-ming-corp com> wrote:
>
> Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
>  
> Good evening from Singapore,
>  
> Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing 
> or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP 
> (LAMP).
>  
> We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database 
> user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or 
> sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain 
> timings. We have also found nothing abnormal after examining /var/log/apache2/access.log.
>  
> Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our 
> customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application 
> Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. 
> In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively 
> detects and logs Nessus and sqlmap vulnerability scans in blocking mode.
>  
> Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server 
> through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative 
> of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan 
> report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 
> 4.8.5 which could be vulnerable to SQL injection using the designer feature.
>  
> Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing 
> Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely 
> installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer 
> feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( 
> https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux 
> desktop against our Testing server.
>  
> No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was 
> using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used.
>  
> $ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1"; --level=1 --dbms=mysql --sql-query="drop 
> database"
>  
> Replace database by database name.
>  
> May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL 
> injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I 
> can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker 
> must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing 
> ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through.
>  
> Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well 
> enough. Our customer is also using a customised in-house inventory management system that relies on PHP application 
> and MySQL database.
>  
> Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and 
> block SQL injection as well?
>  
> Please advise.
>  
> Thank you very much.
>  
> -----BEGIN EMAIL SIGNATURE-----
>  
> The Gospel for all Targeted Individuals (TIs):
>  
> [The New York Times] Microwave Weapons Are Prime Suspect in Ills of
> U.S. Embassy Workers
>  
> Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
>  
> ********************************************************************************************
>  
> Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
> Qualifications as at 14 Feb 2019
>  
> [1] https://tdtemcerts.wordpress.com/
>  
> [2] https://tdtemcerts.blogspot.sg/
>  
> [3] https://www.scribd.com/user/270125049/Teo-En-Ming
>  
> -----END EMAIL SIGNATURE-----
>  
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>    To unsubscribe, send an email to:
>    snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Attachment: smime.p7s
Description:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette