Adminer Script Results to Pwning Server?, Private Bug Bounty Program

If an adminer script is left in a server, most likely the server will be pawned soon. In this story, I want to introduce a technique in order to exploit adminer script without valid credentials.


Recon

While ago I participated in a private bug bounty program (let name the domain milk.tld in this story), I did recon with some sorts of scripts, sub-domain finders and etc, revealed several sub-domains, one of them was support redirecting the user to the main domain. I conducted an action brute force by wfuzz by the following syntax:

https://support.milk.tld/FUZZ

Finally found /login endpoint. I tested too many vectors on the page, didn’t find any flaw, though. Afterward, I conducted a file name brute force by wfuzz by using some word-lists, found an interesting file named connect.php, after opening, I saw the adminer.php script.

Common scenario is brute force attack, I did it but nothing gained.


Attack Vector

With inspiration of following articles:

https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html
https://phonexicum.github.io/infosec/sql-injection.html

I designed an attack scenario:

  1. Setting up MySQL server within public IP address
  2. Connecting adminer to the MySQL server (now user has logged to adminer)
  3. Reading local files by read data local infile command, inserting the results in a table

The Attack

Just filled adminer login form by server address and credentials I’d set up before. Logged-in successfully.

The right MySQL command to read files from the client’s side is

LOAD DATA LOCAL INFILE '/etc/passwd' 
INTO TABLE test.test
FIELDS TERMINATED BY "\n"

The result:

YES! I’d capability of reading files by the mysql user. I went to read Nginx configuration file. As each site has a configuration in /etc/nginx/sites-enabled/ , However, I didn’t know the filename. I created a list based on the company name and started brute forcing the name. Luckily I found the configuration file (the filename was mil.tld just a letter removed compared with the original domain, and there wasn’t .conf extension):

/etc/nginx/sites-enabled/mil.tld

The result was:

The all I wanted was rootpath. Reading index.php confirmed the portal had written by Laravel. Opening the database.php revealed the connection credentials of the database:

I got all the databases within the credentials revealed. I connected with credentials to adminer, consequently, I had the databases. Unfortunately, the user didn’t have FILE permission so I didn’t accomplish uploading a shell script by into outfile MySQL query. However, the main point is about adminer script which might result in pawning the server in the similar cases. In comparison to phpMyAdmin, admin is less secure since it has host field which makes hackers conduct several scenario attacks pre-authentication. As an instance, revealing the real IP address of servers behind CDNs as Cloud-flare.