Rooting with php
Rooting with php
ghost | 4993 Reads | This is no hacking technique or something but it could help you in some cases.
I suppose many of you know of the php function file_put_contents(). You can easily create a file with this. But what porbably most of you won't know is that you can also create php scripts with this function that run under the root account of your apache server.
Let's begin shall we.
We got the following script:
file_put_contents($filename, $scriptcontent);
?>
This will create the following script:
Because the web server creates this script, it is owned by the web and when we examine the file better we'll see the following:
$ ls evilscript.php -rw-r–r– 1 nobody nobody xx Jan 1 00:00 evilscript.php
Apache usually runs as the user nobody for the record ;)
Because the script is owned by the web server it can edit eveything on it. The safe_mode directive in php does NOT offer protection for this behavior.
If this script has content to read e.g. the session data of another site stored on the server then you could read and modify everything! This is surely a risc in a shared hosting setup. You could also make a shell of the script and get root on the web server.
Another big risc is that you can easily get the source code of scripts stored on the server that aren't yours. Here's an example:
If I would specify to be for example admin.php or something like that then I would simply get the source of that file. And if it contains e.g. passwordhashes or something… I don't need to draw a picture with it do I ;)
I hope you've learned something of this article and find it useful.
- The_Cell
ghost 17 years ago
I tried this and it dosen't seem to work.
I put: ```markup <?php $filename="filereadingscript.php"; $contents="<?php header('Content-Type: text/plain'); readfile(index.php); ?>"; file_put_contents($filename, $contents); ?>
Into a script, and the script that it creates just shows:
"<br />
<b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: Unable to access indexphp in <b>/path/was/hidden/filereadingscript.php</b> on line <b>1</b><br />
<br />
<b>Warning</b>: readfile(indexphp) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: Invalid argument in <b>/path/was/hidden/filereadingscript.php</b> on line <b>1</b><br />"
ghost 17 years ago
I tried it on my localhost apache server with and without the quotes and it still dosen't work. It still gives the same error.
I am running Windows XP (unfortunatly) with Apache 2.2.2 and PHP 5.2.0-dev. Maybe this just dosen't work on Windows……
ghost 17 years ago
@Grindordie: Yeah I know sorry. nobody is the username of apache. This technique bypasses alot of the safeguards that the safe_mode directive provides. @mastergamer: try VMware Player with a vmx file of Suse or another linux distro. You can emulate linux this way on your windows box ;)
ghost 17 years ago
Wtf is the point with this article? You can talk about php shells as much as you want but how are you going to get the code on the server? You don't say a word about that. So this article is useless.
ghost 17 years ago
I quote myself "another site stored on the server". I thought it would be opbvious that I'm talking about a shared hosting environment where you have a site on the server and to get other people's source etc. If my article was useless it wouldn't get approved and then your comment would be even more contructive…