|
|
This *should* work provided that you have met the following requirements:=0D
=0D
1) A writable directory under documentroot to place those files (obviously)=0D
2) You don't have proc_open in your disabled_functions list=0D
3) You are able to compile a shared library on the same platform as the target web server.=0D
=0D
=0D
Here is the library code, compile with cc -o a.so -fPIC -shared a.c=0D
=0D
a.c:=0D
----=0D
=0D
#include
";=0D
while (!feof($a))=0D
{$b=fgets($a);echo $b;}=0D
fclose($a);=0D
echo "";=0D
=0D
?>=0D
=0D
=0D
Why does that work?=0D
-------------------=0D
=0D
Because the PHP devs like to trust the environment. Especially the dynamic loader variables. =0D
=0D
If you have safe_mode enabled, you cannot execute anything except the binaries in the safe mode exec dir. They prepend a trailing slash to your command string and strip "..". Yet, proc_open() enables you to provide your own environment to pass to the new process. proc_open() executes "/bin/sh -c yourcommand" and even though "yourcommand" is invalid, the LD_PRELOAD variable is passed to /bin/sh.=0D
=0D
Then /bin/sh loads your "evil" library and then you can easily execute other commands, open files, etc, etc.=0D
=0D
=0D
The library in question overloads getuid() in a way that it takes input from a text file, executes it and writes the output into another text file. =0D
=0D
This also works against open_basedir restrictions since the library can be under the documentroot.=0D
=0D
The only tough thing from an attacker's perspective is to compile the library on the same platform as the attacked system.=0D
=0D
And it works on linux only..=0D
=0D