Admirer (Easy)
Last updated
Last updated
Vulnerable Exploit: Adminer 4.6.2 File Disclosure Vulnerability
System Vulnerable: 10.10.10.187
Vulnerability Explanation: Adminer versions up to (and including) 4.6.2 supported the use of the SQL statement LOAD DATA INFILE. It was possible to use this SQL statement to read arbitrary local files because of a protocol flaw in MySQL.
Privilege Escalation Vulnerability: Misconfigure privilege of user and Hijack Python Library
Vulnerability Fix: Upgrade to the latest version of Adminer. This vulnerability was fixed in Adminer version 4.6.3.
Severity: High
Step to Compromise the Host:
Let's start to enumerate each service if any of these services are either contain vulnerable versions or misconfigured.
Try to log in with anonymous it doesn't work as well as there is no interesting vulnerability for us.
As a result of the Nmap scan, we have found the file robots.txt and directory admin-dir.
By following the file robots.txt, we found some hints that directory /admin-dir contacts personal contacts and cred as well as username waldo. Unfortunately, we don't have permission to access it.
Let's start to enumerate and perform directory traversal by gobuster to check if there is any file or directory which we can access.
We have found the same as the hint provided by file contacts.txt and credentials.txt.
With all of these credentials, we found valid credentials for access to ftp service. On ftp service, we found 2 files dump.sql and html.tar.gz.
By enumerating on file dump.sql, we didn't see any interesting information. Then, extract the file html.tar.gz which contains some folders and files.
By enumerating on each file and folder, we found credentials stored on file index.php and /utility-scripts/db_admin.php.
As we didn't found any database port was open on nmap scan. Which mean that, there will be database web portal somewhere. By browsing folder utility-scripts we got Forbidden.
But while include info.php which we have downloaded from ftp service, we return back the info.
By searching on google for the machine's name, we found out that there is a database whose name is similar to our machine.
Then, we found the database login web page of adminer.php with version 4.6.2.
First, let's configure our MySQL on our kali machine. We will create a database name, username, and password, and allow the host to connect.
Create database, username, and password for the specific host.
Creating a table of the database name Testing.
Change configuration from allowing access only to the local host to any host connected to MySQL database.
After changing the configuration, we need to restart MySQL service.
Let's connect from the database web portal to our database with the credentials that we have created.
By executing the exploit SQL command to read file /var/www/html/index.php, it's going to query the row 123s
As we see the Query was executed. Let's get back to our database and display the table Testing. We found out there are other credentials with the same username as waldo.
For our previous credentials, we found it doesn't valid on the ssh service. But for this one, it's working on ssh. We can log in ssh to the machine and we got a shell on the machine.
Check for sudo -l to check if there is any misconfigure. We can run /script root privilege.
On file backup.py, we found that it's imported file shutil and make_archive function with 3 parameters (a, b, c).
Let's check on the file admin_tasks.sh and we found backup_web() functions which is interesting.
To exploit this misconfigure, we will create a reverse shell code and save it as shutil.py.
Let's start listening on port 5555 with netcat.
Then, we export the PYTHONPATH to our /tmp folder which we create file shutil.py. Next, we will run /opt/scripts/admin_tasks.sh with root privilege and select option 6 (Backup Web Data).
Once we executed admin_tasks script, it will run backup.py file and import our exploit code on shutil.py and execute our reverse shell command.
We found that Adminer 4.6.2 is vulnerable to file disclosure. at the end.
