While ago I participated in a private bug bounty program (let name the domain
milk.tld in this story), I did recon with some sorts of scripts, sub-domain finders and etc, revealed several sub-domains, one of them was
support redirecting the user to the main domain. I conducted an action brute force by wfuzz by the following syntax:
/login endpoint. I tested too many vectors on the page, didn’t find any flaw, though. Afterward, I conducted a file name brute force by wfuzz by using some word-lists, found an interesting file named
connect.php, after opening, I saw the adminer.php script.
Common scenario is brute force attack, I did it but nothing gained.
With inspiration of following articles:
I designed an attack scenario:
- Setting up MySQL server within public IP address
- Connecting adminer to the MySQL server (now user has logged to adminer)
- Reading local files by
read data local infilecommand, inserting the results in a table
Just filled adminer login form by server address and credentials I’d set up before. Logged-in successfully.
The right MySQL command to read files from the client’s side is
LOAD DATA LOCAL INFILE '/etc/passwd'
INTO TABLE test.test
FIELDS TERMINATED BY "\n"
YES! I’d capability of reading files by the
mysql user. I went to read Nginx configuration file. As each site has a configuration in
/etc/nginx/sites-enabled/ , However, I didn’t know the filename. I created a list based on the company name and started brute forcing the name. Luckily I found the configuration file (the filename was
mil.tld just a letter removed compared with the original domain, and there wasn’t
The result was:
The all I wanted was
index.php confirmed the portal had written by Laravel. Opening the
database.php revealed the connection credentials of the database:
I got all the databases within the credentials revealed. I connected with credentials to adminer, consequently, I had the databases. Unfortunately, the user didn’t have
FILE permission so I didn’t accomplish uploading a shell script by
into outfile MySQL query. However, the main point is about adminer script which might result in pawning the server in the similar cases. In comparison to phpMyAdmin, admin is less secure since it has host field which makes hackers conduct several scenario attacks pre-authentication. As an instance, revealing the real IP address of servers behind CDNs as Cloud-flare.