ReCaptcha in PhpMyAdmin - Activation, Bypass and Fix
You can activate it in just a minute - go to www.google.com/recaptcha , get the private and public keys for your domain and enter them in config.inc.php in the cells "$ cfg ['CaptchaLoginPrivateKey']" and "$ cfg ['CaptchaLoginPublicKey'] ”, respectively. Everything, after that an additional user check appears on the authorization page.
Almost excellent protection against automated password guessing. “Almost” - because PMA developers, for the sake of user convenience, left no big gap in the script. If in the current session a person passes the reCaptcha test, then it is no longer shown to him. That is, to implement standard brute force, an attacker needs to pass a manual check, pass the session ID to the bruter and that’s all, the bruter can work quietly.
This bug is fixed simply. In the file /libraries/plugins/auth/AuthenticationCookie.class.php you need to find the lines
// We already have one correct captcha.
$ skip = false;
if (isset ($ _ SESSION ['last_valid_captcha'])
&& $ _SESSION ['last_valid_captcha']
) {
$ skip = true;
}
and comment out the line "$ skip = true;". Now reCaptcha will always be displayed.
And a small illustrative example of a Python + Selenium workaround ( PasteBin ).
It works simply. If the script “sees” reCaptcha by opening the PMA page in its code, the browser creates the “Ready to go” checkbox on the page and waits for it to be marked by a person. Before checking this box, a person must pass the reCaptcha test. Further, the search goes as usual.
PS The PMA developers are of course informed.