The following is the tutorial column ofphpmyadminto introduce you to PhpMyAdmin background getshell (penetration test). I hope it will be helpful to friends in need!
PhpMyAdmin is based on PHP and structured in Web-Base. TheMySQL database management toolon the website host allows administrators to use the Web interface to manage the MySQL database. This web interface can be a better way to input complex SQL syntax in a simple way, especially when it comes to importing and exporting large amounts of data.
After collecting and detecting the target information, when it is found that the phpmyadmin directory exists (try:http://ip:port/phpmyadmin/
), then After entering the management background through a weak password (, you can directly try the account root password root) or brute force cracking, there are many ways to getshell.
If you want to insert a Trojan inside the website, the premise is that you have to know the absolute path of the website. There are many methods, such as obtaining the path by reporting an error, and passing phpinfo.php and so on (please refer to another blog post: https://blog.csdn.net/weixin_39190897/article/details/99078864).
The most convenient way is to useselect @@basedir;
to check directly (but sometimes you can’t find it out, you can only find other methods):
According to the above feedback, we can see that the location of MySQL is in theD:\soft\phpStudy\MySQL\
directory.
After obtaining the website path, you can attempt to upload the Trojan. The most commonly used method is to write a sentence of Trojan directly on the root directory of the website throughinto outfile
:
select '' into outfile 'D:\soft\phpStudy\www\xxx.php';
But in the new version In mysql, this sentence did not run successfully.
Mysql new featuressecure_file_priv
will have an impact on reading and writing files. This parameter is used to limit import and export. We can use theshow global variables like '%secure%';
command to view this parameter:
Whensecure_file_priv
is NULL, it means that Mysql is not restricted Import and export are allowed, so an error occurs. To make the statement export successfully, you need to modify themy.ini
file in the Mysql folder and addsecure_file_priv =""
to [mysqld]:
When the value ofsecure_file_priv
has no specific value, it means that there is no restriction on the import|export of mysqld, and the export command can be executed at this time.
Mysql version 5.0 and above will create log files, and you can also getshell by modifying the global variables of the log. But you must also have read and write permissions on the generated logs. (Note: The personal test on Linux was unsuccessful due to permission issues). First, let’s introduce two MySQL global variables:general_log
andgeneral_log file
.
Command to view log status:show variables like '%general%';
## In the above configuration, when general is turned on,
The executed sql statements will appear in theWIN-30DFNC8L78A.logfile
.
Then, if the value ofgeneral_log_file
is modified, the executed sql statement will be generated correspondingly, and then getshell will be generated.
Correspondingly, the xxx.php file will be generated
Write a sentence Trojan into the xxx.php file:SELECT ''
Then you can see the Trojan horse statements recorded in the log file:
Finally, China Chopper connects, getshell :
The above is the detailed content of PhpMyAdmin background getshell (penetration test). For more information, please follow other related articles on the PHP Chinese website!