first commit

adminer/CVE-2021-21311/README.md

@@ -0,0 +1,29 @@
+# Adminer Server-side Request Forgery on Error Page of Elasticsearch and ClickHouse (CVE-2021-21311)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Adminer is a tool for managing content in databases developed by PHP. It natively supports MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Elasticsearch and MongoDB.
+
+In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability on error page of Elasticsearch and ClickHouse. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
+
+References:
+
+- <https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6>
+- <https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf>
+- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml>
+
+## Vulnerable environment
+
+Execute following command to start a PHP server with Adminer 4.7.8:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can see the login page of Adminer at `http://your-ip:8080`.
+
+## Exploit
+
+Select the ElasticSearch as the system field, then input `example.com` into the server field. Click the login button, you will see the 400 response from `example.com`:
+
+![](1.png)

adminer/CVE-2021-21311/README.zh-cn.md

@@ -0,0 +1,27 @@
+# Adminer ElasticSearch 和 ClickHouse 错误页面SSRF漏洞（CVE-2021-21311）
+
+Adminer是一个PHP编写的开源数据库管理工具，支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。
+
+在其4.0.0到4.7.9版本之间，连接 ElasticSearch 和 ClickHouse 数据库时存在一处服务端请求伪造漏洞（SSRF）。
+
+参考连接：
+
+- <https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6>
+- <https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf>
+- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml>
+
+## 漏洞环境
+
+执行如下命令启动一个安装了Adminer 4.7.8的PHP服务：
+
+```
+docker compose up -d
+```
+
+服务启动后，在`http://your-ip:8080`即可查看到Adminer的登录页面。
+
+## 漏洞复现
+
+在Adminer登录页面，选择ElasticSearch作为系统目标，并在server字段填写`example.com`，点击登录即可看到`example.com`返回的400错误页面展示在页面中：
+
+![](1.png)

adminer/CVE-2021-21311/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/adminer:4.7.8
+   ports:
+    - "8080:80"

adminer/CVE-2021-43008/README.md

@@ -0,0 +1,32 @@
+# Adminer Remote Arbitrary File Read (CVE-2021-43008)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Adminer is a tool for managing content in databases developed by PHP. It natively supports MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Elasticsearch and MongoDB.
+
+Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
+
+References:
+
+- <https://github.com/p0dalirius/CVE-2021-43008-AdminerRead>
+- <http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability>
+
+## Vulnerable environment
+
+Execute following command to start a PHP server with Adminer 4.6.2:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can see the login page of Adminer at `http://your-ip:8080`.
+
+## Exploit
+
+Start a roguo MySQL server through [mysql-fake-server](https://github.com/4ra1n/mysql-fake-server), then paste the `fileread_/etc/passwd` into username field:
+
+![](1.png)
+
+Receive the request and the `/etc/passwd` has been written into current directory:
+
+![](2.png)

adminer/CVE-2021-43008/README.zh-cn.md

@@ -0,0 +1,30 @@
+# Adminer远程文件读取（CVE-2021-43008）
+
+Adminer是一个PHP编写的开源数据库管理工具，支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。
+
+在其版本1.12.0到4.6.2之间存在一处因为MySQL LOAD DATA LOCAL导致的文件读取漏洞。
+
+参考链接：
+
+- <https://github.com/p0dalirius/CVE-2021-43008-AdminerRead>
+- <http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability>
+
+## 漏洞环境
+
+执行如下命令启动Web服务，其中包含Adminer 4.6.2：
+
+```
+docker compose up -d
+```
+
+服务启动后，在`http://your-ip:8080`即可查看到Adminer的登录页面。
+
+## Exploit
+
+使用[mysql-fake-server](https://github.com/4ra1n/mysql-fake-server)启动一个恶意的MySQL服务器。在Adminer登录页面中填写恶意服务地址和用户名`fileread_/etc/passwd`：
+
+![](1.png)
+
+可见，我们已经收到客户端连接，读取到的文件`/etc/passwd`已保存至当前目录：
+
+![](2.png)

adminer/CVE-2021-43008/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/adminer:4.6.2
+   ports:
+    - "8080:80"