Note: This method only works on windows and isn’t discovered by me, but one of the greatest web researchers I know, I just had to share it.
So, to test this, make sure you have php version less than 5.2.10 on a windows machine.
make sure your php.ini file says on for safe_mode or simply by doing
C:\xampp\php>php -n -d safe_mode=on -r “exec(‘notepad’);”
The command “/notepad” is either misspelled or could not be found.
So what does that tell us? its like all safe_mode doing is ad a "/" in whatever input we gave it (would be bad), aside from lots of other bypasses you might think of, one , for windows only, can be used to bypass safe_mode, by using backslashes infront of the command:
C:\xampp\php>php -n -d safe_mode=on -r “exec(‘\calc’);”
Aside from many errors being generated, the code still gets executed and notepad will now pop up.
so our final payload to execute commands while safe_mode is 1 is:
works with exec(), passthru, system() functions.