Shulou(Shulou.com)06/01 Report--

This article shows you how to raise rights in phpMyadmin. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

0x00 definition

PhpMyAdmin is a database management tool based on PHP and constructed on the host of the website in the way of Web-Base, which allows managers to use Web interface to manage MySQL database.

0x01 environment preparation target: Windows Server 2003 Enterprise x64 Edition 192.168.17.137 attack plane: window7 192.168.17.132Php:5.45Mysql: 5.5.53Apache: 2.40x02 begins to infiltrate

We have learned that PhpMyadmin's account password is root root through weak passwords, explosions, directory leaks and other channels. Next, we will raise power through phpMyadmin, get as close to the truth as possible, and talk about more ideas.

A collect useful information

As shown in the figure above, we can get the following useful information.

1. The operating system is windows server 2003 x86

two。 The server is Apache 2.4.32

3. The default path to the website is E:\ phpStudy\ PHPTutorial\ WWW

The 4.PHP version is 5.45

The 5.mysql version is 5.5.53

B detect insertion condition

We have learned that the default path of the website is E:\ phpstudy\ PHPTutorial\ WWW, so we definitely want to insert a backdoor file or export shell at this time. So if we need to use one of the above two ideas, we must meet a prerequisite that the value corresponding to "secure_file_priv" cannot be empty and must be the path of the default website, so we must test the value of "secure_file_priv" in advance.

PhpMyadmin executes the following command:

SHOW VARIABLES LIKE "secure_file_priv"

The result is shown in the figure:

From the picture above, we know that the value is empty. If we import a sentence at this time, it will certainly fail. If you don't believe it, let's try it.

Error The MySQL server is running with the-- secure-file-priv option so it cannot execute this statement, because mysql restricts import and export through files, which is not allowed by default. The default value is null, which is disabled. If there is a folder directory, you are only allowed to change the files in the directory (not even the test subdirectory). Let's think about it and see if we can set its path to our default site path so that we can import a sentence back door. Let's give it a try.

You can see from the figure that this variable is a read-only variable that cannot be changed dynamically, so it can only be changed from the configuration file. To here found that fell into an alley, the conventional way is not good, we can use some coquettish ideas, the use of log log file to insert a sentence.

C conversion train of thought

The first thing we need to detect is the value of the MySQL global variable (general_log, general_log file).

General log refers to the saved state of the log. A total of two values (ON/OFF) ON means to enable OFF and to close.

General log file refers to the path where the log is saved.

You can see from the figure that general_log is turned off by default, and the location where log logs are stored is E:\ phpStudy\ PHPTutorial\ MySQL\ data\.

First of all, let's understand the function of turning on general_log. Turning on it can record every command entered by the user and save it in a log file under E:\ phpstudy\ PHPTutorial\ MySQL\ data\, which is actually what we often call a log file. OK, the idea of our use is to open general_log and change the value of general_log_file to a custom php file under the default path of our website, and then we write a sentence through the log log to it, and then make further use of it.

The specific orders are:

Set global general_log = "ON"; SET global general_log_file='E:/phpStudy/PHPTutorial/WWW/infos.php'

Next we can see that the pseudo diary file infos.php that we generated is found under the root path of the website.

Then we have to insert one of our words at the back door.

Select''

We can try to connect with a kitchen knife and connect successfully.

D get administrator password 0x00 get plaintext directly

We upload wce.exe to get the plaintext password. Lucky thief, get plaintext directly (11-digit alphanumeric combination of passwords). If you can't get the plaintext directly, you have to take the second way to get the hash value and decrypt it.

0x01 gets the hash value

Upload Pwdump7.exe to get the hash value and save it to the password.txt file. To get the hash value, you can choose to run online http://www.objectif-securite.ch/en/ophcrack.php. If you can't get out, use Ophcrack to import the rainbow watch to run.

E check whether 3389 is turned on

Type "netstat-an | find" 3389 "or" netstat-an "directly in the kitchen knife terminal.

Found that 3389 is not open, but 3390 is open, let's try to connect.

F login server

Run mstsc to open remote Desktop.

Enter the account number and password obtained above and log in successfully.

In the end, we must have a clear trace, but I won't write it here, and there are many thieves.

0x03 extension

The above demonstrates the case where the secure_file_ value is empty, so what should we do if the secure_file_priv is not empty?

A configure my.ini file (does not correspond to the root path of the site)

Open mysq's configuration file my.ini, set the value of secure_file_priv, and then restart mysql.

Secure_file_priv = "E:/phpStudy/PHPTutorial/MYSQL/"

Try to change the value and find that it is only readable and unwritable, and that situation cannot be written into our sentence because it restricts the export path and cannot be written and exported to the root of our website.

B configure my.ini file (corresponding to the root path of the website)

Open mysq's configuration file my.ini, set the value of secure_file_priv, and then restart mysql.

Secure_file_priv = "E:/phpStudy/PHPTutorial/WWW/"

Then we tried to insert a sentence at the back door and successfully inserted it.

Two words do not say kitchen knife connection.

Of course, a sentence can be inserted like this.

CREATE TABLE `mysql`.`informationes` (`inform`TEXT NOT NULL); INSERT INTO `mysql`.`informationes` (`inform`) VALUES (''); SELECT `inform`from `mysql`.`informationes` into outfile'eVarix pedicle phpStudyPLOPHPTutorialhand WWWinfos.phpimportationDROP table if exists `mysql`.`informationes`; (note: PHP is the absolute path of the website) c exports the php file of Shell with command permission

Select''into outfile'cVERGRON phpStudyPlus PHPTutorialUnixWWUnix test. Php'

The above content is how to raise rights in phpMyadmin. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.