GetshellViaphpmyadminSQLExecutionIn/import. phpToWrit

Directory 1. vulnerability description 2. vulnerability trigger Condition 3. vulnerability impact Scope 4. vulnerability code analysis 5. defense Method 6. attack and Defense thinking 1. vulnerability description phpMyAdmin is a PHP-based MySQL database management tool built on the website host in the Web-Base mode. It allows administrators to use Web interfaces to manage MySQL databases. Use this Web Interface

Directory 1. vulnerability description 2. vulnerability trigger Condition 3. vulnerability impact Scope 4. vulnerability code analysis 5. defense Method 6. attack and Defense thinking 1. vulnerability description phpMyAdmin is a PHP-based MySQL database management tool built on the website host in the Web-Base mode. It allows administrators to use Web interfaces to manage MySQL databases. Use this Web Interface

Directory

1. Vulnerability description 2. Vulnerability trigger conditions 3. Impact Scope 4. Vulnerability code analysis 5. Defense methods 6. Attack and Defense thinking

1. Vulnerability description

PhpMyAdmin is a MySQL database management tool based on PHP and based on Web-Base architecture on the website host. It allows managers to use Web interfaces to manage MySQL databases. By using this Web interface, you can become a better way to easily input complicated SQL syntax, especially to process the import and export of a large amount of data. One of the biggest advantages is that phpMyAdmin runs on the Web server like other PHP programs, but you can use the HTML pages generated by these programs anywhere, that is, remote management of MySQL databases, allows you to easily create, modify, and delete databases and data tables. You can also use phpMyAdmin to create common php syntaxes to facilitate the correctness of the SQL syntaxes required for compiling webpages.

2. Vulnerability trigger conditions

1. know the root password of phpmyadmin, that is, the root password of mysql (phpmyadmin is only a tool for connecting to mysql through web) 1) the default weak password of mysql 2) through other vulnerabilities (such as injection) obtain the mysql root Password 2. the physical path of the website is known. 1) on the "variable" tab page in the background of phpmyadmin, you can see the physical path of mysql and then deduce the physical path of the website. 2) obtain the physical path of the website through other web Vulnerabilities

The core of getshell through phpmyadmin is file write operations through SQL. The common SQL statements are as follows:

----1---Create TABLE a (cmd text NOT NULL);Insert INTO a (cmd) VALUES('
 ');select cmd from a into outfile ' C:/htdocs/1.php';   Drop TABLE IF EXISTS a;DROP TABLE IF EXISTS `a`;----1-------2---select '
 'INTO OUTFILE 'd:/wamp/www/exehack.php'----2---

Relevant Link:

http://www.exehack.net/681.htmlhttp://www.exehack.net/99.htmlhttp://www.187299.com/archives/1695

3. Scope of impact

All phpmyadmin versions

4. Vulnerability code analysis

/PhpMyAdmin/import. php

All the logic for processing user-defined SQL parsing and execution is implemented in this PHP file.

/*this code point is important$import_text is the one that need to be check strictly*/if ($go_sql) {    // parse sql query    include_once 'libraries/parse_analyze.inc.php';    if (isset($ajax_reload) && $ajax_reload['reload'] === true)     {        $response = PMA_Response::getInstance();        $response->addJSON('ajax_reload', $ajax_reload);    }    PMA_executeQueryAndSendQueryResponse(        $analyzed_sql_results, false, $db, $table, null, $import_text, null,        $analyzed_sql_results['is_affected'], null,        null, null, null, $goto, $pmaThemeImage, null, null, null, $sql_query,        null, null    );} else if ($result) {    // Save a Bookmark with more than one queries (if Bookmark label given).    if (! empty($_POST['bkm_label']) && ! empty($import_text))     {        PMA_storeTheQueryAsBookmark(            $db, $GLOBALS['cfg']['Bookmark']['user'],            $import_text, $_POST['bkm_label'],            isset($_POST['bkm_replace']) ? $_POST['bkm_replace'] : null        );    }    $response = PMA_Response::getInstance();    $response->isSuccess(true);    $response->addJSON('message', PMA_Message::success($msg));    $response->addJSON(        'sql_query',        PMA_Util::getMessage($msg, $sql_query, 'success')    );} else if ($result == false) {    $response = PMA_Response::getInstance();    $response->isSuccess(false);    $response->addJSON('message', PMA_Message::error($msg));} else {    $active_page = $goto;    include '' . $goto;}

5. Defense methods

Malicious check on the variable $ import_text is a defense against the getshell attack on phpmyadmin when executing SQL export files.

if(preg_match("/select.*into.*(outfile|dumpfile)/sim", $import_text, $matches)){    echo "request error!" . "
" . $matches[0];    die();} 

Note that when using the PHP Regular Expression matching engine, you must consider the bypass risk in the line feed scenario.
Note that MYSQL has many extension syntaxes, such

1. define the Stored Procedure 2. define function 3. define a trigger 4. use syntax preprocessing to compile/* prepare stmt from 'select count (*) from information_schema.schemata '; here the SQL statement to be compiled can also be converted to bypassexecute stmt ;*/

Relevant Link:

http://php.net/manual/en/function.preg-match.php#111573http://blog.sina.com.cn/s/blog_3fe961ae01013r8f.html

6. Attack and Defense

Copyright (c) 2014 LittleHann All rights reserved