Shulou(Shulou.com)05/31 Report--

Phpmyadmin+phpinfo () + webshell how to simply bypass getshell, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Information collection

Discover the phpinfo page through information collection:

Find critical information web path C:/ps/WWW

The first thing that comes to mind is that the temporary directory uploads files in batch, and then exploits the file inclusion vulnerability to get shell.

First test if there is a temporary directory:

Write a script to upload files to detect whether there is information that phpinfo contains temporary files.

Import requests files= {'file': ("aa.txt", "ssss")} url= "http://x.x.x.x/phpinfo.php"r = requests.post (url=url, files=files, allow_redirects=False) print (r.text)

Temporary files were found

Continue to use the conditions to compete for upload failure.

Then test to see if any files are included, but not.

Then continue to collect information and discover phpmyadmin and find weak password vulnerabilities for root users.

After testing, it is found that Into outfile in mysql is disabled:

The MySQL server is running with the-secure-file-priv option so it cannot execute this statement

When the next query general_log is on and the state is on, the system will write every query statement executed later by mysql into the file in the location you specify. The location of the file is determined by general_log_file. When we can turn on this option, we can first specify the path as a php file, and then execute the sql statement SELECT';, which will insert the Trojan into the php file you specified.

So we can set general_log_file to a php file, and finally use a sentence Trojan to query to get shell.

Vulnerability exploitation

Since the web path has been found in the previous phpinfo page, the following statement can be constructed:

SET global general_log_file='C:/ps/www/xiaoma.php'

When writing webshell, it is found that when directly constructing eval function access, the error message probably means that the content of the file is changed to 0 line, and the judgment is killed.

So change it a little bit. As shown in the figure below, eval executes the entered $an as a php statement, so as long as you assign a certain system command value to l, you can execute system commands

An interview. This time, no one was killed.

Shell got it:

Train of thought

Ideas for exploiting phpinfo vulnerabilities are as follows:

1. You can see the path of the uploaded temporary file in phpinfo to implement LFI+getshell.

Https://www.pianshen.com/article/71091159796/

Ideas for exploiting phpmyadmin vulnerabilities are as follows:

1. Use the global variable general_log to getshell

2. Make use of slow_query_log slow query log getshell

3. Take advantage of phpmyadmin4.8.x local file to include vulnerability getshell

Https://www.icode9.com/content-3-218228.html

4. Write directly to select into outfile

Https://www.lurbk.com/lur2774.html

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.