How I Gained Access to Adminer (DBMS) via Leaked Credentials
.بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد
In the name of God, the most gracious, the most merciful.
May Allah’s blessings and peace be upon our Prophet Muhammad.
Before we begin, I offer my prayers for my brothers in Palestine, asking for their unwavering strength and ultimate victory, as they currently endure the horrors of violent bombings in their homeland.
Greetings, fellow hackers! My name is Abdo Amin, known as uchihamrx. Today, I’m excited to share one of my recent discoveries on HackerOne within the VDP program. Although I typically don’t hunt on VDP, I decided to explore it when boredom struck. So, let’s skip the introductory chatter and dive right into the thrilling part of this story.
Please note that this is my first write-up, and I welcome your feedback if you spot any mistakes.
What is Adminer?
Adminer is a web-based database management tool used to manage and interact with relational databases. It offers a user-friendly interface for performing a variety of database-related tasks, such as database queries, table management, executing SQL commands, and more.
Recon Phase
In this phase, I performed some basic recon. I began by enumerating subdomains using Subenum and identifying live subdomains using Httpx after the tools had completed their tasks, I selected one and discovered a login panel.
My initial attempts to find parameters for testing Xss and SQLi vulnerabilities didn’t yield any results. Undeterred, I proceeded to the next step: fuzzing to identify endpoints using FUFF with a public wordlist.
During the fuzzing process, one endpoint caught my attention as it returned a substantial response named debug.
I decided to investigate further and found that it contained a wealth of information, including logs, paths, and more. I performed a search using the keyword password, which directed me to a set of credentials for the MySQL database
Before reporting my findings, I decided to return to the FUFF results, and to my surprise, I stumbled upon an endpoint named Adminer. I quickly navigated to it and discovered a login panel for the DBMS.
Using the credentials I had uncovered earlier, I successfully gained access to the Adminer DBMS system.
I’ve submitted the report to the program, and it has been categorized as critical severity by the HackerOne triager. We are now in the process of awaiting the program’s review and acceptance.
Thank you for taking the time to read, and I hope it proves beneficial to you.
