ReCaptcha in phpMyAdmin - activation, traversal and fix
Most recently, digging into the code of PhpMyAdmin, I discovered the captcha mechanism, which has been present in it for a long time (judging by the changelog), during authorization. And not just anything that goes through numerous services, but Google reCaptcha.
You can activate it in just a minute - go to www.google.com/recaptcha , get private and public keys for your domain and enter them in config.inc.php in the cells “$ cfg ['CaptchaLoginPrivateKey']” and “$ cfg ['CaptchaLoginPublicKey'] "respectively. Everything, after that on the page of authorization there is an additional check of the user.
Almost perfect protection against automated passwords. “Almost” - because the developers of PMA, for the convenience of users, left a small gap in the script. If a person passes the reCaptcha test in the current session, then it is no longer shown to him. That is, to implement a standard brute force, an attacker needs to be manually tested, give the session ID to the brutera, and everything, the brutter can work quietly.
Fixing this bug is simple. In the /libraries/plugins/auth/AuthenticationCookie.class.php file you need to find the lines
and comment out the line "$ skip = true;". Now reCaptcha will always be displayed.
And a small clear example of a Python + Selenium traversal ( PasteBin ).
It works simply. If you open the PMA page in its code, the script “sees” reCaptcha, then the browser creates the “Ready to go” checkbox on the page and waits for it to be marked by humans. Before putting this checkmark in, a person must pass a reCaptcha check. Further busting is a normal move.
')
PS Developers PMA course reported.
You can activate it in just a minute - go to www.google.com/recaptcha , get private and public keys for your domain and enter them in config.inc.php in the cells “$ cfg ['CaptchaLoginPrivateKey']” and “$ cfg ['CaptchaLoginPublicKey'] "respectively. Everything, after that on the page of authorization there is an additional check of the user.
Almost perfect protection against automated passwords. “Almost” - because the developers of PMA, for the convenience of users, left a small gap in the script. If a person passes the reCaptcha test in the current session, then it is no longer shown to him. That is, to implement a standard brute force, an attacker needs to be manually tested, give the session ID to the brutera, and everything, the brutter can work quietly.
Fixing this bug is simple. In the /libraries/plugins/auth/AuthenticationCookie.class.php file you need to find the lines
// We already have one correct captcha.
$ skip = false;
if (isset ($ _ SESSION ['last_valid_captcha'])
&& $ _SESSION ['last_valid_captcha']
) {
$ skip = true;
}
and comment out the line "$ skip = true;". Now reCaptcha will always be displayed.
And a small clear example of a Python + Selenium traversal ( PasteBin ).
It works simply. If you open the PMA page in its code, the script “sees” reCaptcha, then the browser creates the “Ready to go” checkbox on the page and waits for it to be marked by humans. Before putting this checkmark in, a person must pass a reCaptcha check. Further busting is a normal move.
')
PS Developers PMA course reported.
Source: https://habr.com/ru/post/266173/
All Articles