Home>Article>Database> PhpMyAdmin background getshell (penetration test)

PhpMyAdmin background getshell (penetration test)

藏色散人
藏色散人 forward
2021-06-17 14:57:28 3342browse

The following is the tutorial column ofphpmyadminto introduce you to PhpMyAdmin background getshell (penetration test). I hope it will be helpful to friends in need!

PhpMyAdmin Introduction

PhpMyAdmin is based on PHP and structured in Web-Base. TheMySQL database management toolon the website host allows administrators to use the Web interface to manage the MySQL database. This web interface can be a better way to input complex SQL syntax in a simple way, especially when it comes to importing and exporting large amounts of data.
PhpMyAdmin background getshell (penetration test)
After collecting and detecting the target information, when it is found that the phpmyadmin directory exists (try:http://ip:port/phpmyadmin/), then After entering the management background through a weak password (, you can directly try the account root password root) or brute force cracking, there are many ways to getshell.
PhpMyAdmin background getshell (penetration test)

into outfile export Trojan

If you want to insert a Trojan inside the website, the premise is that you have to know the absolute path of the website. There are many methods, such as obtaining the path by reporting an error, and passing phpinfo.php and so on (please refer to another blog post: https://blog.csdn.net/weixin_39190897/article/details/99078864).

The most convenient way is to useselect @@basedir;to check directly (but sometimes you can’t find it out, you can only find other methods):
PhpMyAdmin background getshell (penetration test)

According to the above feedback, we can see that the location of MySQL is in theD:\soft\phpStudy\MySQL\directory.

After obtaining the website path, you can attempt to upload the Trojan. The most commonly used method is to write a sentence of Trojan directly on the root directory of the website throughinto outfile:

select '' into outfile 'D:\soft\phpStudy\www\xxx.php';

But in the new version In mysql, this sentence did not run successfully.
PhpMyAdmin background getshell (penetration test)
Mysql new featuressecure_file_privwill have an impact on reading and writing files. This parameter is used to limit import and export. We can use theshow global variables like '%secure%';command to view this parameter:
PhpMyAdmin background getshell (penetration test)
Whensecure_file_privis NULL, it means that Mysql is not restricted Import and export are allowed, so an error occurs. To make the statement export successfully, you need to modify themy.inifile in the Mysql folder and addsecure_file_priv =""to [mysqld]:
PhpMyAdmin background getshell (penetration test)
When the value ofsecure_file_privhas no specific value, it means that there is no restriction on the import|export of mysqld, and the export command can be executed at this time.

Using Mysql log files

Mysql version 5.0 and above will create log files, and you can also getshell by modifying the global variables of the log. But you must also have read and write permissions on the generated logs. (Note: The personal test on Linux was unsuccessful due to permission issues). First, let’s introduce two MySQL global variables:general_logandgeneral_log file.

  1. general logrefers to the log saving status, ON means open, OFF means closed;
  2. general log filerefers to the log save path.

Command to view log status:show variables like '%general%';
PhpMyAdmin background getshell (penetration test)## In the above configuration, when general is turned on,
The executed sql statements will appear in theWIN-30DFNC8L78A.logfile.

Then, if the value ofgeneral_log_fileis modified, the executed sql statement will be generated correspondingly, and then getshell will be generated.
PhpMyAdmin background getshell (penetration test)PhpMyAdmin background getshell (penetration test)
Correspondingly, the xxx.php file will be generated
PhpMyAdmin background getshell (penetration test)
Write a sentence Trojan into the xxx.php file:SELECT ''
PhpMyAdmin background getshell (penetration test)
Then you can see the Trojan horse statements recorded in the log file:
PhpMyAdmin background getshell (penetration test)Finally, China Chopper connects, getshell :
PhpMyAdmin background getshell (penetration test)

The above is the detailed content of PhpMyAdmin background getshell (penetration test). For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:csdn.net. If there is any infringement, please contact admin@php.cn delete