Today, I was searching for how phpMyAdmin converts BLOB-strings to hexadecimal ones (which is accomplished with bin2hex(), by the way), so I looked around using the searchterm “sql_hex_for_blob“.

What I was looking for: An answer as to how the conversion is made.

What I got: PHP session files.

There are actually some servers on the net, which expose their session.save_path-directory open to every viewer and even have directory listings turned on. And of those servers, some don’t even set the access rights in a way, that will disallow viewing. This is interesting in two ways:

  1. The session files might contain some sensible data (depending on the application using them),  phpMyAdmin for example saves the query history within them. Attackers have a really good insight into the DB structure to perform SQL injection.
  2. Even if the files are not readable themselves, the filename contains the session ID. As far as I know, PHP doesn’t check for the IP address, this means attackers could potentially take over a running session.

I haven’t really worked out a Google query yet to search for these files, but I guess someone already has…

Update

I’ve looked around some more and haven’t figured out a query that will gather all session files. But just take a variable name, which is part of the session data of some widespread PHP app (e.g. phpMyAdmin) and you’ll find lots of session files on Google.