Adminer Script Results to Pwning Server?, Private Bug Bounty Program

Yasho
Yasho
Aug 11, 2018 · 3 min read

If an adminer script is left in a server, most likely the server will be pawned soon. In this story, I want to introduce a technique in order to exploit adminer script without valid credentials.

Recon

While ago I participated in a private bug bounty program (let name the domain milk.tld in this story), I did recon with some sorts of scripts, sub-domain finders and etc, revealed several sub-domains, one of them was support redirecting the user to the main domain. I conducted an action brute force by wfuzz by the following syntax:

https://support.milk.tld/FUZZ

Finally found /login endpoint. I tested too many vectors on the page, didn’t find any flaw, though. Afterward, I conducted a file name brute force by wfuzz by using some word-lists, found an interesting file named connect.php, after opening, I saw the adminer.php script.

Image for post

Common scenario is brute force attack, I did it but nothing gained.

Attack Vector

With inspiration of following articles:

https://w00tsec.blogspot.com/2018/04/abusing-mysql-local-infile-to-read.html

https://phonexicum.github.io/infosec/sql-injection.html

I designed an attack scenario:

  1. Setting up MySQL server within public IP address
  2. Connecting adminer to the MySQL server (now user has logged to adminer)
  3. Reading local files by read data local infile command, inserting the results in a table
Image for post

The Attack

Just filled adminer login form by server address and credentials I’d set up before. Logged-in successfully.

Image for post

The right MySQL command to read files from the client’s side is

LOAD DATA LOCAL INFILE '/etc/passwd' 
INTO TABLE test.test
FIELDS TERMINATED BY "\n"

The result:

Image for post

YES! I’d capability of reading files by the mysql user. I went to read Nginx configuration file. As each site has a configuration in /etc/nginx/sites-enabled/ , However, I didn’t know the filename. I created a list based on the company name and started brute forcing the name. Luckily I found the configuration file (the filename was mil.tld just a letter removed compared with the original domain, and there wasn’t .conf extension):

/etc/nginx/sites-enabled/mil.tld

The result was:

Image for post

The all I wanted was rootpath. Reading index.php confirmed the portal had written by Laravel. Opening the database.php revealed the connection credentials of the database:

Image for post

I got all the databases within the credentials revealed. I connected with credentials to adminer, consequently, I had the databases. Unfortunately, the user didn’t have FILE permission so I didn’t accomplish uploading a shell script by into outfile MySQL query. However, the main point is about adminer script which might result in pawning the server in the similar cases. In comparison to phpMyAdmin, admin is less secure since it has host field which makes hackers conduct several scenario attacks pre-authentication. As an instance, revealing the real IP address of servers behind CDNs as Cloud-flare.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Yasho

Written by

Yasho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Yasho

Written by

Yasho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store