header-logo
Suggest Exploit
vendor:
PhpMyLogon
by:
Blake
9
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: PhpMyLogon
Affected Version From: 2
Affected Version To: 2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3
2010

PhpMyLogon SQL Injection

The PhpMyLogon application is vulnerable to SQL injection. By manipulating the username field during the login process, an attacker can bypass authentication and gain unauthorized access to the application. The vulnerable code retrieves user information from the database using a SQL query that is constructed with user-supplied input without proper sanitization or parameterization, allowing an attacker to inject malicious SQL statements. This vulnerability can be exploited by entering a specially crafted username, such as 'blake' or '1'='1' #', which will cause the query to return all records from the database, effectively bypassing the authentication check. This allows the attacker to log in as any user without knowing their password.

Mitigation:

To mitigate this vulnerability, the application should use parameterized queries or prepared statements to handle user input. This ensures that user-supplied data is properly sanitized and prevents SQL injection attacks. Additionally, the application should implement strong authentication mechanisms, such as using secure password hashing algorithms and enforcing password complexity requirements. Regular security testing and code review should also be performed to identify and address any potential vulnerabilities.
Source

Exploit-DB raw data:

# Exploit Title: PhpMyLogon SQL Injection
# Date: March 14, 2010
# Author: Blake
# Software Link: http://sourceforge.net/projects/phpmylogon/files/PhpMyLogon/PhpMyLogon%202/phpmylogon2.zip/download
# Version: 2
# Tested on: Windows XP SP3


Proof of Concept:
Enter the following for the username to login as the first user:
blake'  or '1'='1' #
and anything for the password.

Vulnerable Code:
        if(isset($_POST['submit'])) {
            if($_POST['username'] != "" AND $_POST['password'] != "") {
                // Check submitted data with data in database
                $sql = "SELECT id,username,password,cookie_pass,actcode,rank FROM `".$settings['db_table']."` WHERE username = '".$_POST['username']."' LIMIT 1";
                $query = mysql_query($sql);

Navigation

Suggest Exploit

Services By CQR