Group 14 PHPMyAdmin Exploitation Project Report PDF
Document Details
Uploaded by ImprovingSynthesizer
Abdulaziz Alassaf, Abdullah Aljaeidan, Abdulrahman Aldaeaj, Abdullah Albesher, Abdullah Almaghem
Tags
Summary
This report details a security vulnerability assessment of phpMyAdmin, a popular MySQL administration tool. It demonstrates the exploitation of the PHPMyAdmin default credentials vulnerability using tools like Nmap and Hydra. Vulnerabilities with weak credentials are highlighted as a significant risk and solutions are discussed for preventative measures.
Full Transcript
IS493 exploitation Project Report Group 14 Done by: Abdulaziz Alassaf 443102192 Abdullah Aljaeidan 443101723 Abdulrahman Aldaeaj 443102297 Abdullah Albesher 44102638 Abdullah Almaghem 443102199 Introduction: phpMyAdmin is a very...
IS493 exploitation Project Report Group 14 Done by: Abdulaziz Alassaf 443102192 Abdullah Aljaeidan 443101723 Abdulrahman Aldaeaj 443102297 Abdullah Albesher 44102638 Abdullah Almaghem 443102199 Introduction: phpMyAdmin is a very popular, free application that offers a convenient web interface for MySQL and MariaDB database management. Although functional and handy, the default configuration of phpMyAdmin presents considerable risks unless it is updated or otherwise secured appropriately, mainly because there are several default credentials. The project targeted one of the most common misconfigurations in the Metasploitable 2 environment: PHPMyAdmin Default Credentials Vulnerability. The vulnerability refers to when administrators fail to change or set weak credentials for the phpMyAdmin default username and password and hence allow the application to be susceptible to brute-force attacks or unauthorized access. The whole concept of this project was showing how an attacker can use this vulnerability with free tools like nmap for reconnaissance and Hydra to actually brute force it. Thus, we gained administrative access to the phpMyAdmin interface and could explore the MySQL database that was beneath it. The project illustrates the risks of default configurations and weak credentials by showing just how a critical system could be compromised by an attacker. It covers technical details of the vulnerability, steps taken during the exploitation, the impact created, and solutions proposed to mitigate such risks. Vulnerability Details: The exploited vulnerability in this project is PHPMyAdmin Default Credentials Vulnerability, a security misconfiguration arising from weak or default credentials. It is a problem common in systems whose settings are not changed from their default setting upon deployment. phpMyAdmin being a web-based database management tool usually comes with default credentials such as: Username: phpmyadmin, root, or admin Password: phpmyadmin, root, admin, or even left blank. phpMyAdmin's most common usages are for the administration of MySQL or MariaDB databases through a web browser. Upon installation, it may be configured with weak default credentials, which administrators forget to change. This allows attackers to log in and have full administrative privilege over the database. This vulnerability is explicitly dangerous because it: Gives full control over the database to the attackers. Can be exploited with simple brute-force or dictionary attacks. Serves as an entry point for further attacks on the application or underlying system. How the Vulnerability Works: 1. The phpMyAdmin application is exposed, open to the public, over a web server such as Apache running on port 80 of the host. 2. If the administrator has not changed the default credentials, an attacker can attempt to log on using those known credentials. 3. Tools like Hydra will automate this process, testing combinations of usernames and passwords until a successful login is achieved. Once logged in, the attacker can: Access or alter sensitive contents of a database. Insert malicious scripts or commands. Compromise other systems connected to the database. This vulnerability is widely exploited because it requires little technical knowledge, and the weakness is well known. The inability to secure phpMyAdmin demonstrates the critical need for proper configuration and credential management. OS and Software Involved: In this project, we leveraged a virtualized environment to simulate an attacker-target scenario. The setup consisted of the following components: 1. Virtualization Platform Tool: Oracle VirtualBox VirtualBox was used to host the virtual machines for both the attacker (Kali Linux) and the target system (Metasploitable 2). o Both machines were set up on a NAT network, ensuring connectivity while isolating them from external networks. Here we Can see the two VM’s communicating through the “ping” command: 2. Attacker Machine Operating System: Kali Linux Purpose: Used for reconnaissance, vulnerability exploitation, and brute-forcing the phpMyAdmin interface. Tools Used: o Nmap: For scanning open ports and identifying running services. o Hydra: To perform brute-force attacks on phpMyAdmin's login page. o MySQL Client: For testing database access after exploitation. 3. Target Machine Operating System: Metasploitable 2 (Ubuntu Linux) Purpose: Metasploitable 2, an intentionally vulnerable Linux distribution, was used for security testing and penetration testing practice. Vulnerable Software: o phpMyAdmin: A web-based MySQL administration tool with a misconfiguration (default credentials), forming the focus of this exploit. o MySQL Server: The database backend for phpMyAdmin, providing the target for the attack. o Apache HTTP Server: Hosted the phpMyAdmin web interface on port 80. Network Configuration: NAT Network: Both virtual machines were configured on a NAT network within VirtualBox to ensure communication. o Kali Linux: IP Address - 192.168.10.4 o Metasploitable 2: IP Address - 192.168.10.5 The NAT setup ensured controlled connectivity between the machines while preventing external interference. Execution: In this phase, we performed reconnaissance and exploitation of the PHPMyAdmin Default Credentials vulnerability. The steps involved scanning the target for open ports and services using nmap, followed by brute-forcing the phpMyAdmin login using Hydra. Scanning Phase: Using Nmap: What is Nmap? Nmap (Network Mapper) is an open-source tool widely used for network exploration and security auditing. It helps in identifying: Open ports. Services running on those ports. Operating system details. In penetration testing, Nmap is a foundational tool for assessing the attack surface of a target machine. What is Scanning for a Specific Port with Nmap? When scanning a specific port, such as port 80, Nmap determines: Whether the port is open. The service running on the port. The version of the service. Port 80 is critical as it handles HTTP traffic, often exposing web applications like phpMyAdmin. Why Use Nmap? Objective: To identify potential entry points into the target system. Relevance: If port 80 is confirmed open and running phpMyAdmin, it becomes a focus for further attacks. Information Provided by Nmap: Port status (open, closed, filtered). The service on the port (e.g., Apache HTTP Server). Version of the service (helps in detecting vulnerabilities). Command Used for Scanning Port 80: nmap -sV -p 80 192.168.10.5 Explanation of the Command: -sV: Enables detection of the service and its version. -p 80: Focuses the scan on port 80, saving time. 192.168.10.5: Specifies the target machine's IP address (Metasploitable 2). Exploitation (Hydra Brute-Force Attack): What is Hydra? Hydra is a robust and fast password-cracking tool designed to automate brute-force attacks. It supports various protocols and services, making it ideal for testing authentication mechanisms for weaknesses by systematically trying multiple username and password combinations. Why is Hydra Used? Purpose: Hydra tests login pages or services where weak credentials could enable unauthorized access. Capabilities: o Supports multiple protocols like HTTP, SSH, FTP, and more. o Utilizes wordlists for large-scale username and password testing. o Automates the brute-forcing process efficiently. Relevance to this Exploit: o phpMyAdmin often has default or weak credentials (e.g., phpmyadmin, root). o Hydra simplifies testing these combinations quickly to find valid credentials. Steps to Perform Hydra Brute-Force Attack Step 1: Prepare the Environment: 1. Ensure the target machine (Metasploitable 2) is running and accessible. o Target IP: 192.168.10.5 2. Identify the service to attack (HTTP POST form for phpMyAdmin). 3. Gather or create word lists: o Username file: /usr/share/wordlists/usernames.txt o Password file: /usr/share/wordlists/rockyou.txt Step 2: Execute Hydra Command: hydra -L /usr/share/wordlists/usernames.txt -P /usr/share/wordlists/rockyou.txt 192.168.10.5 http-post-form "/phpmyadmin/index.php:username=^USER^&password= ^PASS^:Login failed" -L: Specifies the file containing usernames (e.g., /usr/share/wordlists/usernames.txt). -P: Specifies the file containing passwords (e.g., /usr/share/wordlists/rockyou.txt). 192.168.10.5: Target machine's IP address. http-post-form: Denotes the type of service being attacked (HTTP POST form). /phpmyadmin/index.php: Path to the phpMyAdmin login page. username=^USER^&password=^PASS^: Form fields for username and password. ^USER^ and ^PASS^ are replaced by Hydra with values from the wordlists. Login failed: String indicating a failed login attempt. Hydra uses this to differentiate valid and invalid credentials. Step 3: Analyze Hydra Results: Hydra systematically tests combinations from the wordlists. When valid credentials are discovered, they are displayed in the output. And in our implementation we have these results from running the Hydra Brute force command: Mitigation and Prevention: To mitigate the PHPMyAdmin Default Credentials vulnerability, it is crucial to replace default credentials with strong, unique ones and restrict access to trusted networks. Adding layers of security, such as account lockout policies, two-factor authentication, and enforcing HTTPS encryption, further enhances protection. Regular software updates, monitoring access logs, and properly configuring phpMyAdmin and MySQL can greatly reduce the risk of exploitation and unauthorized access. Steps to mitigate and prevent Unauthorized Access: Change Default Credentials: Replace all default usernames and passwords immediately with strong, unique ones. Use Strong Passwords: Create passwords with a mix of upper and lower case letters, numbers, and special characters. Avoid easy-to-guess passwords like "admin123." Enable Account Lockout: Set up a system to lock accounts temporarily after multiple failed login attempts to prevent brute-force attacks. Use Two-Factor Authentication (2FA): Add an extra layer of security by requiring a second verification step during login. Restrict Database Permissions: Give users only the access they need. Avoid granting full administrative rights unless absolutely necessary. Rename the phpMyAdmin URL: Change the default URL (e.g., /phpmyadmin) Set IP Whitelisting: Allow access only from specific IP addresses that are known and trusted. Use Captcha on Login Pages: Add Captcha to phpMyAdmin login pages to slow down brute-force attempts. Conclusion: The PHPMyAdmin Default Credentials vulnerability is an example of misconfiguration that can threaten a system badly if it is left that way. In this project, we indicated an exploit used by an attacker, who exploited accounts with default or weak passwords to gain access to phpMyAdmin, a commonly used tool in the management of MySQL databases. Nmap was used in scanning to identify the open port with phpMyAdmin hosting and we, Hydra handled decryption of passwords thus opened a brute-force attack on the account after we discovered the real data credentials to it. We used this vulnerability to gain full access to the underlying database through phpMyAdmin. Thus, the problem seems very easy to exploit. This project focuses on the significance of employing secure measures to keep your systems safe. Replacing the default passwords with strong and unique ones is an easy move, however, it is a very important first step. Protecting networks by allowing only those that are trusted, account lockout policies, and two-factor authentication are additional barricades against brute- force attacks. Automated updating of software and monitoring the access logs are good ways to detect unauthorized activities and stop them before major damages occur.