 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
into outfle |
 |
 Posted: Sun Oct 11, 2009 1:11 pm |
 |
|
| wokky |
| Regular user |
 |
|
| Joined: Oct 09, 2009 |
| Posts: 11 |
|
|
|
 |
|
 |
|
Hello all,
I found mysql root account, I can login via phpmyadmin and do eveything i want but now i want to take advantage of this and install a phpbackdoor.
So i tried something like this:
select '<?php *phpcode*?' INTO OUTFILE '/www/backdoor.php'
and i got:
Can't create/write to file '/www/backdoor.php' (Errcode: 13)
if i don't use path of course it works and copy the file into tmp folder
I am sure that the directory exists and this probably due to write permission.
So how can i bypass that.
sry bad english :/ |
|
|
|
|
|
|
|
|
| Posted: Sun Oct 11, 2009 6:59 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
It's all about Linux filesystem security and you can do only things, you are allowed to, unless you have some 0-day vulnerability in your possession.
Now, some things to try:
1. load_file() allows to read files, this can be useful.
2. try to find some web-accessible directory, which is writable to mysql.
Examples: avatars,cache, smilies,temp,data,files,pictures,upload, uploads.
Many webmasters are giving 777 permissions to some dirs, this can be exploited.
3. use load_file() for peeking into the php script sources. This may reveal additional security vulnerabilities, which can lead to further exploitation (insecure uploads, LFI, RFI, sql injections).
4. try to find LFI vulns and in case of success just write your php code to the tmp dir and use LFI for getting php-level access. |
|
|
|
|
|
|
|
|
| Posted: Sun Oct 11, 2009 7:20 pm |
|
|
| wokky |
| Regular user |
|
|
| Joined: Oct 09, 2009 |
| Posts: 11 |
|
|
|
|
|
|
|
| ye i tried to read some files successefully and i know where are directories writable by php but it doesn't works with mysql dunno why |
|
|
|
|
| Posted: Mon Oct 12, 2009 8:58 pm |
|
|
| wokky |
| Regular user |
|
|
| Joined: Oct 09, 2009 |
| Posts: 11 |
|
|
|
|
|
|
|
ok i dit it i found a directory to write but i got an another problem,
suPHP, safe mode ! impossible to execute the file, probably nothing to do about it |
|
|
|
|
| Posted: Mon Oct 12, 2009 9:49 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Oct 13, 2009 6:21 pm |
|
|
| wokky |
| Regular user |
|
|
| Joined: Oct 09, 2009 |
| Posts: 11 |
|
|
|
|
|
|
|
| PHP Version 5.2.5-pl1-gentoo |
|
|
|
|
| Posted: Tue Oct 13, 2009 7:20 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Oct 13, 2009 7:58 pm |
|
|
| wokky |
| Regular user |
|
|
| Joined: Oct 09, 2009 |
| Posts: 11 |
|
|
|
|
|
|
|
Well, suPHP test if the php file is execute by the right user.
in this case i wrote a file with mysql user so it cannot be executable by php
Look:
I tried a simple php without file/dir access file like that:
<?php echo 'test'; ?>
And it can't be executable. |
|
|
|
|
| Posted: Wed Oct 14, 2009 11:32 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| You can write arbitrary files to the web server, right? Then consider other ways to leverage attack: .htaccess, cgi, perl, python. |
|
|
|
|
| Posted: Fri Oct 16, 2009 7:26 am |
|
|
| wokky |
| Regular user |
|
|
| Joined: Oct 09, 2009 |
| Posts: 11 |
|
|
|
|
|
|
|
| ok, can you give me some exemples cause i don't know how to process |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 51
Members: 0
Total: 51
