first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
adminer/CVE-2021-43008/1.png
Normal file
BIN
adminer/CVE-2021-43008/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 16 KiB |
BIN
adminer/CVE-2021-43008/2.png
Normal file
BIN
adminer/CVE-2021-43008/2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 93 KiB |
32
adminer/CVE-2021-43008/README.md
Normal file
32
adminer/CVE-2021-43008/README.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Adminer Remote Arbitrary File Read (CVE-2021-43008)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Adminer is a tool for managing content in databases developed by PHP. It natively supports MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Elasticsearch and MongoDB.
|
||||
|
||||
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
|
||||
|
||||
References:
|
||||
|
||||
- <https://github.com/p0dalirius/CVE-2021-43008-AdminerRead>
|
||||
- <http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability>
|
||||
|
||||
## Vulnerable environment
|
||||
|
||||
Execute following command to start a PHP server with Adminer 4.6.2:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server is started, you can see the login page of Adminer at `http://your-ip:8080`.
|
||||
|
||||
## Exploit
|
||||
|
||||
Start a roguo MySQL server through [mysql-fake-server](https://github.com/4ra1n/mysql-fake-server), then paste the `fileread_/etc/passwd` into username field:
|
||||
|
||||
|
||||
|
||||
Receive the request and the `/etc/passwd` has been written into current directory:
|
||||
|
||||
|
||||
30
adminer/CVE-2021-43008/README.zh-cn.md
Normal file
30
adminer/CVE-2021-43008/README.zh-cn.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Adminer远程文件读取(CVE-2021-43008)
|
||||
|
||||
Adminer是一个PHP编写的开源数据库管理工具,支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。
|
||||
|
||||
在其版本1.12.0到4.6.2之间存在一处因为MySQL LOAD DATA LOCAL导致的文件读取漏洞。
|
||||
|
||||
参考链接:
|
||||
|
||||
- <https://github.com/p0dalirius/CVE-2021-43008-AdminerRead>
|
||||
- <http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability>
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动Web服务,其中包含Adminer 4.6.2:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
服务启动后,在`http://your-ip:8080`即可查看到Adminer的登录页面。
|
||||
|
||||
## Exploit
|
||||
|
||||
使用[mysql-fake-server](https://github.com/4ra1n/mysql-fake-server)启动一个恶意的MySQL服务器。在Adminer登录页面中填写恶意服务地址和用户名`fileread_/etc/passwd`:
|
||||
|
||||
|
||||
|
||||
可见,我们已经收到客户端连接,读取到的文件`/etc/passwd`已保存至当前目录:
|
||||
|
||||
|
||||
6
adminer/CVE-2021-43008/docker-compose.yml
Normal file
6
adminer/CVE-2021-43008/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/adminer:4.6.2
|
||||
ports:
|
||||
- "8080:80"
|
||||
Reference in New Issue
Block a user