Vimattack: Get database credentials when changing config files on a 🐧 Linux server

Vimattack: Get database credentials when changing config files on a 🐧 Linux server

Summary:

When you edit files using Vim, it makes .swp files in the same directory as the files you are editing, and these files contain all changes you’ve made.

Vim is the favorite editor for most Linux users out there, but the .swp file that it creates while you are editing a file can be used by a third-party to get your database credentials.

So, as al long as the webserver allows requests to dotfiles and you know the location (directory) of the file that will be edited with Vim, you can exploit this vulnerability.

Proof of concept

Imagine a scenario when a Linux user whos favorite editor is Vim, just bought NewDomainName.com and you know they will be installing WordPress on it.

If you are familiar with WordPress, you’ll know that the credentials for the database are stored in a file called wp-config.php located in the public directory.

You can easily make a python script that will try to download https://newdomainname.com/-wp-config.php.swp every second. Leave the script running, and as soon as someone starts editing the wp-config file using Vim, you will succesfully download the swap file.

After downloading, to open the file you can use: vim -r .wp-config.php.swp

PoC Video from WebDevEtc.com

NOTE: In the example above, I’ve used WordPress just as an example, but this vulnerability has nothing to with WordPress but with Vim editor’s swap files. WordPress is used for this example just because it stores its configuration file inside the public directory.

See also  ⚠️ WSO 2.6 Shell 😲

🤯 Taking the above example one step further:

One can easily grab a BuiltWith list of the 30M websites running WordPress and make a python script that will scan them for .wp-config.php.swp files.

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.