Adminer File Disclosure
Overview #
Attacker can point adminer into a rogue mysql server to get access to internal files inside the victim machine.
Protocol Flaw in MySQL #
The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)
Steps #
- Update
rogue_mysql_server.py
with the file you want to read and run it
cd ~/data/tools
cat rogue_mysql_server.py | egrep 'filename ='
python2 rogue_mysql_server.py
- Open wireshark and filter mysql packets
- Login to adminer and point it to attacker rogue mysql. The rest can be any value.
- Go back to wire shark and check the mysql response from victim.