Adminer Script Results to Pwning Server?, Private Bug Bounty Program

Yasho
Yasho
Aug 11, 2018 · 3 min read

If an adminer script is left in a server, most likely the server will be pawned soon. In this story, I want to introduce a technique in order to exploit adminer script without valid credentials.


Recon

While ago I participated in a private bug bounty program (let name the domain milk.tld in this story), I did recon with some sorts of scripts, sub-domain finders and etc, revealed several sub-domains, one of them was support redirecting the user to the main domain. I conducted an action brute force by wfuzz by the following syntax:

https://support.milk.tld/FUZZ

Finally found /login endpoint. I tested too many vectors on the page, didn’t find any flaw, though. Afterward, I conducted a file name brute force by wfuzz by using some word-lists, found an interesting file named connect.php, after opening, I saw the adminer.php script.

Common scenario is brute force attack, I did it but nothing gained.


Attack Vector

With inspiration of following articles:

https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html

https://phonexicum.github.io/infosec/sql-injection.html

I designed an attack scenario:

  1. Setting up MySQL server within public IP address
  2. Connecting adminer to the MySQL server (now user has logged to adminer)
  3. Reading local files by read data local infile command, inserting the results in a table

The Attack

Just filled adminer login form by server address and credentials I’d set up before. Logged-in successfully.

The right MySQL command to read files from the client’s side is

LOAD DATA LOCAL INFILE '/etc/passwd' 
INTO TABLE test.test
FIELDS TERMINATED BY "\n"

The result:

YES! I’d capability of reading files by the mysql user. I went to read Nginx configuration file. As each site has a configuration in /etc/nginx/sites-enabled/ , However, I didn’t know the filename. I created a list based on the company name and started brute forcing the name. Luckily I found the configuration file (the filename was mil.tld just a letter removed compared with the original domain, and there wasn’t .conf extension):

/etc/nginx/sites-enabled/mil.tld

The result was:

The all I wanted was rootpath. Reading index.php confirmed the portal had written by Laravel. Opening the database.php revealed the connection credentials of the database:

I got all the databases within the credentials revealed. I connected with credentials to adminer, consequently, I had the databases. Unfortunately, the user didn’t have FILE permission so I didn’t accomplish uploading a shell script by into outfile MySQL query. However, the main point is about adminer script which might result in pawning the server in the similar cases. In comparison to phpMyAdmin, admin is less secure since it has host field which makes hackers conduct several scenario attacks pre-authentication. As an instance, revealing the real IP address of servers behind CDNs as Cloud-flare.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Yasho

Written by

Yasho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Yasho

Written by

Yasho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store