Many posts have pointed out that a malicious MySQL server can use the LOAD DATA LOCAL command to read arbitrary files from MYSQL clients. According to this article (chinese) phpMyAdmin开启远程登陆导致本地文件读取, We can read arbitrary file on phpMyAdmin server if $cfg['AllowArbitraryServer'] enabled.
Many posts have pointed out that a malicious MySQL server can use the LOAD DATA LOCAL command to read arbitrary files from MYSQL clients. According to this post (chinese), We can read arbitrary file on phpMyAdmin server if $cfg['AllowArbitraryServer'] enabled.
phpMyAdmin 4.8.4 with AllowArbitraryServer online environment: https://github.com/vulnspy/phpmyadmin-4.8.4-allowarbitraryserver
VULNERABILITY DETAILS
Arbitrary file reading caused by LOAD DATA LOCAL
is a long-standing problem, according to previous researches:
We know that this problem exists in the following situations:
- MySQL Client
- PHP + mysql/mysqli
- PHP + PDO (MYSQL_ATTR_LOCAL_INFILE)
- Python + MySQLdb
- Python3 + mysqlclient
- Java + JDBC Driver
- ...
PhpMyAdmin belongs to PHP + mysqli, so we can use this vulnerability to read arbitrary file on phpMyAdmin server if $cfg['AllowArbitraryServer'] enabled.
EXPLOIT
EXP: https://github.com/Gifts/Rogue-MySql-Server/blob/master/rogue_mysql_server.py
Let's use VulnSpy's online phpMyAdmin environment to demonstrate:
1. Click on the button START TO HACK
in the upper right corner to create the online environments
After successful creation, two virtual environments will be automatically generated:
- web: phpmyadmin service, our target
- db: mysql service, hacker's server
2. Login to the terminal of hacker's server db
1). Click on the terminal icon of the control bar and select db
2). Click Connect
to login
3). Execute cd /root/exp/
4). Edit rogue_mysql_server.py
, change PORT = 3306
to PORT = 3307
filelist is the files to read
5). Executepython rogue_mysql_server.py
to running the exploiting service
6). Open phpMyAdmin, input db:3307
, vulnspy
, vulnspy
, and submit the form.
7). Go back to the terminal, open file mysql.log