Adminer File Disclosure

lfi, enum, foothold

Overview #

Attacker can point adminer into a rogue mysql server to get access to internal files inside the victim machine.

Protocol Flaw in MySQL #

The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)

Steps #

cd ~/data/tools
cat rogue_mysql_server.py | egrep 'filename ='
python2 rogue_mysql_server.py

References #