[Maria-discuss] How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap? Good evening from Singapore, Our customer (company name is Confidential/not disclosed) reported that their MySQL database has been found missing or was deleted a few times. They are using Ubuntu 16.04 LTS Linux server with Apache2 Web Server, MySQL and PHP (LAMP). We responded to these security incidents by changing the passwords of the regular user, root user, and MySQL database user root. We have also examined /var/log/auth.log and think that the hacker could not have come in through ssh or sftp over ssh. From /var/log/mysql/error.log, we can ascertain that the MySQL database has been deleted at certain timings. We have also found nothing abnormal after examining /var/log/apache2/access.log. Even though we have secured the Ubuntu Linux server by changing passwords, the hacker was still able to delete our customer's MySQL database again and again. I have already proposed to install ModSecurity Open Source Web Application Firewall (WAF) to defend against web application attacks but my boss has told me to put that on hold at the moment. In fact, I have already deployed ModSecurity 2.9.0 on a Ubuntu 16.04 LTS *Testing* server and found that it actively detects and logs Nessus and sqlmap vulnerability scans in blocking mode. Since we did not find any evidence that the hacker had breached our customer's Ubuntu 16.04 LTS production server through ssh or Teamviewer, we suspect that the hacker could have achieved it by SQL injection. I took the initiative of downloading and installing Nessus Professional 8.3.1 Trial version for Windows 64-bit. The vulnerability scan report generated by Nessus Web Application Tests shows that our customer is using a version of phpMyAdmin prior to 4.8.5 which could be vulnerable to SQL injection using the designer feature. Further research shows that I can use sqlmap to determine if phpMyAdmin is SQL injectable. I already have a Testing Ubuntu 16.04 LTS Linux server with a Testing MySQL database and a Testing phpMyAdmin 4.8.4. I have purposely installed phpMyAdmin 4.8.4 because this version was reported to be vulnerable to SQL injection using the designer feature, and our customer is using a vulnerable version, according to CVE-2019-6798 ( https://nvd.nist.gov/vuln/detail/CVE-2019-6798 ). Then I proceeded to download and execute sqlmap on our Ubuntu Linux desktop against our Testing server. No matter how many commands I try, sqlmap always report that phpMyAdmin 4.8.4 is *NOT* SQL injectable. Perhaps I was using the wrong sqlmap commands all the time? The following is one of the many sqlmap commands I have used. $ python sqlmap.py -u "https://www.EXAMPLE.com/phymyadmin/index.php?id=1" --level=1 --dbms=mysql --sql-query="drop database" Replace database by database name. May I know what is the correct sqlmap command that I should use to determine that my Testing phpMyAdmin 4.8.4 is SQL injectable? I would like to know if I can successfully drop/delete the Testing database on our Testing server. If I can successfully drop/delete the Testing MySQL database using sqlmap, I would be able to conclude that the hacker must have carried out SQL injection to drop/delete the customer's database. I have already turned off the Testing ModSecurity Web Application Firewall on our Testing server to allow sqlmap to go through. Please point me to any good tutorial on SQL injection using sqlmap. Maybe I do not understand SQL injection well enough. Our customer is also using a customised in-house inventory management system that relies on PHP application and MySQL database. Would open source Snort Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) be able to detect and block SQL injection as well? Please advise. Thank you very much. -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE-----
Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming:
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
frankly are you drunken? you posted this exactly same message to * phpmyadmin list TWICE * oracle mysql list * now mariadb list i seriously looked if my mailserver has a problem - stop it damned!
Reindl's (funny) comments aside. Why still use phpMyAdmin in this day and age. Nearly every maria/percona/mysql client supports ssh tunneling. SequelPro on Mac, Heidi (or others) on Windows, and any windows client running through wine if your desktop/laptop is linux. Also developers can just use intellij or similar IDE's that have a database pane. Trusting administration to an exposed phpMyAdmin in this day and age frightens me greatly. Also if you had an HIDS server running to track bad phpMyAdmin logins i bet there would be a ton of alerts. I've blocked all such attempts in my IPS even though i don't have phpMyAdmin. I realize this does not answer your question, but if this fits into your architecture i'd say good by to that web interface. my $.02 On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming:
Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
frankly are you drunken?
you posted this exactly same message to
* phpmyadmin list TWICE * oracle mysql list * now mariadb list
i seriously looked if my mailserver has a problem - stop it damned!
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
Am 17.04.19 um 18:55 schrieb Jeff Dyke:
Reindl's (funny) comments aside. Why still use phpMyAdmin in this day and age. Nearly every maria/percona/mysql client supports ssh tunneling. SequelPro on Mac, Heidi (or others) on Windows, and any windows client running through wine if your desktop/laptop is linux. Also developers can just use intellij or similar IDE's that have a database pane.
Trusting administration to an exposed phpMyAdmin in this day and age frightens me greatly. Also if you had an HIDS server running to track bad phpMyAdmin logins i bet there would be a ton of alerts. I've blocked all such attempts in my IPS even though i don't have phpMyAdmin.
I realize this does not answer your question, but if this fits into your architecture i'd say good by to that web interface.
because it's nonsense to believe that you can manage to handle everybody which probably needs to access mysql with his restricted account to learn how to use ssh-tunnles and that you are plain wrong when you believe hand out ssh tunnels into your network for every random monkey increases security not talking about that he is obviously a 3rd party to a customer where you have no say in that context the problem is *exposing* phpMyAdmin for the whole world and asking stupid questions like which version before the latest one instead just update it and when you are too dumb building packages for the target OS hire some one which is capable to do so or unpack that dmaned folder ph hand
On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>> wrote:
Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming: > Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
frankly are you drunken?
you posted this exactly same message to
* phpmyadmin list TWICE * oracle mysql list * now mariadb list
i seriously looked if my mailserver has a problem - stop it damned!
I appreciate your points, but i don't give them out to 'every random monkey', that would completely against the setup I've chosen. Showing someone how to ssh-tunnel via putty is not hard, and is only once and can be documented. The people that i give ssh access to are managed centrally via a config mgmt system and they only have access to the bastion host, and are not users on any other host. Also they can only connect to mysql from that host(which really doesn't matter since they can't get to another host). And my point really mainly is for cloud infrastructures; if you're on a corporate network, hopefully the sysadmin has installed a VPN which can be used and then you can VPN to the network and connect like you're local, which you could also do in the cloud. So IMHO it is much more secure, perhaps the way it's set up here and again it's just my 2 cents. SSH Tunnels to a bastion host that is not allowed to talk to another host will always be more secure than any phpMyAdmin configuration. Again, i appreciate your point of view, but wanted to qualify some of my answers. On Wed, Apr 17, 2019 at 1:18 PM Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.04.19 um 18:55 schrieb Jeff Dyke:
Reindl's (funny) comments aside. Why still use phpMyAdmin in this day and age. Nearly every maria/percona/mysql client supports ssh tunneling. SequelPro on Mac, Heidi (or others) on Windows, and any windows client running through wine if your desktop/laptop is linux. Also developers can just use intellij or similar IDE's that have a database pane.
Trusting administration to an exposed phpMyAdmin in this day and age frightens me greatly. Also if you had an HIDS server running to track bad phpMyAdmin logins i bet there would be a ton of alerts. I've blocked all such attempts in my IPS even though i don't have phpMyAdmin.
I realize this does not answer your question, but if this fits into your architecture i'd say good by to that web interface.
because it's nonsense to believe that you can manage to handle everybody which probably needs to access mysql with his restricted account to learn how to use ssh-tunnles
and that you are plain wrong when you believe hand out ssh tunnels into your network for every random monkey increases security
not talking about that he is obviously a 3rd party to a customer where you have no say in that context
the problem is *exposing* phpMyAdmin for the whole world and asking stupid questions like which version before the latest one instead just update it and when you are too dumb building packages for the target OS hire some one which is capable to do so or unpack that dmaned folder ph hand
On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>> wrote:
Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming: > Subject/Topic: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
frankly are you drunken?
you posted this exactly same message to
* phpmyadmin list TWICE * oracle mysql list * now mariadb list
i seriously looked if my mailserver has a problem - stop it damned!
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
i yet need to see the difference between SSH tunnels and all the administrative burden versus phpMyAdmin behind http-auth long before it's native login your stuff don't scale on a setup with external users which for sure don't get ssh-tunnels or much worser vpn access and without external users the whole issue don't exist Am 17.04.19 um 19:30 schrieb Jeff Dyke:
I appreciate your points, but i don't give them out to 'every random monkey', that would completely against the setup I've chosen. Showing someone how to ssh-tunnel via putty is not hard, and is only once and can be documented. The people that i give ssh access to are managed centrally via a config mgmt system and they only have access to the bastion host, and are not users on any other host. Also they can only connect to mysql from that host(which really doesn't matter since they can't get to another host). And my point really mainly is for cloud infrastructures; if you're on a corporate network, hopefully the sysadmin has installed a VPN which can be used and then you can VPN to the network and connect like you're local, which you could also do in the cloud.
So IMHO it is much more secure, perhaps the way it's set up here and again it's just my 2 cents. SSH Tunnels to a bastion host that is not allowed to talk to another host will always be more secure than any phpMyAdmin configuration.
Again, i appreciate your point of view, but wanted to qualify some of my answers.
On Wed, Apr 17, 2019 at 1:18 PM Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>> wrote:
Am 17.04.19 um 18:55 schrieb Jeff Dyke: > Reindl's (funny) comments aside. Why still use phpMyAdmin in this day > and age. Nearly every maria/percona/mysql client supports ssh > tunneling. SequelPro on Mac, Heidi (or others) on Windows, and any > windows client running through wine if your desktop/laptop is linux. > Also developers can just use intellij or similar IDE's that have a > database pane. > > Trusting administration to an exposed phpMyAdmin in this day and age > frightens me greatly. Also if you had an HIDS server running to track > bad phpMyAdmin logins i bet there would be a ton of alerts. I've > blocked all such attempts in my IPS even though i don't have phpMyAdmin. > > I realize this does not answer your question, but if this fits into your > architecture i'd say good by to that web interface.
because it's nonsense to believe that you can manage to handle everybody which probably needs to access mysql with his restricted account to learn how to use ssh-tunnles
and that you are plain wrong when you believe hand out ssh tunnels into your network for every random monkey increases security
not talking about that he is obviously a 3rd party to a customer where you have no say in that context
the problem is *exposing* phpMyAdmin for the whole world and asking stupid questions like which version before the latest one instead just update it and when you are too dumb building packages for the target OS hire some one which is capable to do so or unpack that dmaned folder ph hand
> On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net> > <mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>> wrote: > > > > Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming: > > Subject/Topic: How do I determine if versions of phpMyAdmin before > 4.8.5 is SQL Injectable using sqlmap? > > frankly are you drunken? > > you posted this exactly same message to > > * phpmyadmin list TWICE > * oracle mysql list > * now mariadb list > > i seriously looked if my mailserver has a problem - stop it damned!
How can you say it doesn't scale when you have now idea how i'm set up. I had to add 5 users yesterday, took 5-10 (mostly talking to people) minutes. Using a config mgmt system i set up ssh and mysql in the same single call to multiple database servers some users will have multiple logins based on the ability to read and the ability to write, which based on the configured security group. It scales quite well indeed and i don't have to worry about a php application were security risks are more prone to come with each update. Also http-auth takes admin as well. aside from that, i'm done here. We obviously disagree, i'm strictly offering another view point and i happen to have the infrastructure in place to make it quick and simple (both additions and deletions) and why would i let external people access my database, in all the jobs i've had this has never been a requirement, and i'm old, but that doesn't mean it's not a requirement for some. You do what works for you and i'll do the same. Best, Jeff On Wed, Apr 17, 2019 at 2:46 PM Reindl Harald <h.reindl@thelounge.net> wrote:
i yet need to see the difference between SSH tunnels and all the administrative burden versus phpMyAdmin behind http-auth long before it's native login
your stuff don't scale on a setup with external users which for sure don't get ssh-tunnels or much worser vpn access and without external users the whole issue don't exist
I appreciate your points, but i don't give them out to 'every random monkey', that would completely against the setup I've chosen. Showing someone how to ssh-tunnel via putty is not hard, and is only once and can be documented. The people that i give ssh access to are managed centrally via a config mgmt system and they only have access to the bastion host, and are not users on any other host. Also they can only connect to mysql from that host(which really doesn't matter since they can't get to another host). And my point really mainly is for cloud infrastructures; if you're on a corporate network, hopefully the sysadmin has installed a VPN which can be used and then you can VPN to the network and connect like you're local, which you could also do in the cloud.
So IMHO it is much more secure, perhaps the way it's set up here and again it's just my 2 cents. SSH Tunnels to a bastion host that is not allowed to talk to another host will always be more secure than any phpMyAdmin configuration.
Again, i appreciate your point of view, but wanted to qualify some of my answers.
On Wed, Apr 17, 2019 at 1:18 PM Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>> wrote:
Am 17.04.19 um 18:55 schrieb Jeff Dyke: > Reindl's (funny) comments aside. Why still use phpMyAdmin in this day > and age. Nearly every maria/percona/mysql client supports ssh > tunneling. SequelPro on Mac, Heidi (or others) on Windows, and any > windows client running through wine if your desktop/laptop is
Am 17.04.19 um 19:30 schrieb Jeff Dyke: linux.
> Also developers can just use intellij or similar IDE's that have a > database pane. > > Trusting administration to an exposed phpMyAdmin in this day and
age
> frightens me greatly. Also if you had an HIDS server running to
track
> bad phpMyAdmin logins i bet there would be a ton of alerts. I've > blocked all such attempts in my IPS even though i don't have phpMyAdmin. > > I realize this does not answer your question, but if this fits into your > architecture i'd say good by to that web interface.
because it's nonsense to believe that you can manage to handle
everybody
which probably needs to access mysql with his restricted account to learn how to use ssh-tunnles
and that you are plain wrong when you believe hand out ssh tunnels
into
your network for every random monkey increases security
not talking about that he is obviously a 3rd party to a customer
where
you have no say in that context
the problem is *exposing* phpMyAdmin for the whole world and asking stupid questions like which version before the latest one instead
just
update it and when you are too dumb building packages for the target
OS
hire some one which is capable to do so or unpack that dmaned folder ph hand
> On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net> > <mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>> wrote: > > > > Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming: > > Subject/Topic: How do I determine if versions of phpMyAdmin before > 4.8.5 is SQL Injectable using sqlmap? > > frankly are you drunken? > > you posted this exactly same message to > > * phpmyadmin list TWICE > * oracle mysql list > * now mariadb list > > i seriously looked if my mailserver has a problem - stop it damned!
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
Am 17.04.19 um 22:39 schrieb Jeff Dyke:
How can you say it doesn't scale when you have now idea how i'm set up. I had to add 5 users yesterday, took 5-10 (mostly talking to people) minutes. Using a config mgmt system i set up ssh and mysql in the same single call to multiple database servers some users will have multiple logins based on the ability to read and the ability to write, which based on the configured security group. It scales quite well indeed and i don't have to worry about a php application were security risks are more prone to come with each update. Also http-auth takes admin as well.
yeah, explain ordianry users how to get ssh-certificates all day long and don't come with "but for the tunnel password auth is enough" when you weaken the most cruial service on a systemd for a damend web application
Am 17.04.19 um 22:43 schrieb Reindl Harald:
Am 17.04.19 um 22:39 schrieb Jeff Dyke:
How can you say it doesn't scale when you have now idea how i'm set up. I had to add 5 users yesterday, took 5-10 (mostly talking to people) minutes. Using a config mgmt system i set up ssh and mysql in the same single call to multiple database servers some users will have multiple logins based on the ability to read and the ability to write, which based on the configured security group. It scales quite well indeed and i don't have to worry about a php application were security risks are more prone to come with each update. Also http-auth takes admin as well.
yeah, explain ordianry users how to get ssh-certificates all day long and don't come with "but for the tunnel password auth is enough" when you weaken the most cruial service on a systemd for a damend web application
and no, it's not only about how make credentials, it's tell a random monkey "go to this URL" versus "you need this and that and a local native application" and that in 2019
I've done this and i'm doing this, its not hard, everyone that needs db access can read a readme and give me a public key in a matter of seconds. I'll take SSH over http-auth and a freaken app that can drop tables/database via a SQL injection bug any day of the week. Granted that could be from poor user management, as NOONE has access to do anything destructive. I really don't care if you don't believe me, b/c this process has been fluid with 0 issues since i started using it about 6 years ago. Oh and yesterdays users were 100% ordinary users (it doesn't get much more ordinary than marketing), they were added to the slave group with select only, and didn't get added to anything production related. To your next email, phpMyAdmin will never be part of a production stack. I'll trust that you know how to handle your users and trust that I will do what i feel is best for me. On Wed, Apr 17, 2019 at 4:43 PM Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.04.19 um 22:39 schrieb Jeff Dyke:
How can you say it doesn't scale when you have now idea how i'm set up. I had to add 5 users yesterday, took 5-10 (mostly talking to people) minutes. Using a config mgmt system i set up ssh and mysql in the same single call to multiple database servers some users will have multiple logins based on the ability to read and the ability to write, which based on the configured security group. It scales quite well indeed and i don't have to worry about a php application were security risks are more prone to come with each update. Also http-auth takes admin as well.
yeah, explain ordianry users how to get ssh-certificates all day long and don't come with "but for the tunnel password auth is enough" when you weaken the most cruial service on a systemd for a damend web application
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
Am 17.04.19 um 23:03 schrieb Jeff Dyke:
I've done this and i'm doing this, its not hard, everyone that needs db access can read a readme and give me a public key in a matter of seconds. I'll take SSH over http-auth and a freaken app that can drop tables/database via a SQL injection bug any day of the week. Granted that could be from poor user management, as NOONE has access to do anything destructive.
I really don't care if you don't believe me, b/c this process has been fluid with 0 issues since i started using it about 6 years ago. Oh and yesterdays users were 100% ordinary users (it doesn't get much more ordinary than marketing), they were added to the slave group with select only, and didn't get added to anything production related.
well, that's a completly different world than typical hosting when you require from that target audience public-keys, install ative apps, give them only read access you are just done because you ahrdly can sell that to anybody
participants (3)
-
Jeff Dyke -
Reindl Harald -
Turritopsis Dohrnii Teo En Ming