That was probably my first, most-memorable but not most-rewarding "evil" thing i done
Long time ago i was thinking: hmm, sessions and files are uploaded to the /tmp ...
That time i had hostingas.in hosting. So i wrote up simple PHP script, like a shell, to scan /tmp and other folders not blocked by open_base_dir ...
I was shocked to see:
All the session files and their contents. That allowed me to session hijack any account for hostingas.in, or other hosted site, extract passwords / usernames as many programs store it in the $_SESSION array;
Uploaded files (MYSQL database dumps, images, php files, emails and etc... who use /tmp as temporary storage)
I could rewrite session data, delete files, (i wonder how many users got pissed for getting logged out, loosing their files) and other stuff.
When i had my fun i told them to fix it. But guess what, after month a company was bought by another company and here we go again...
You can use this , i believe you can call this exploit, on many lower-middle quality shared hostings.
Moving on, i had scanned almost all system of hostingas.in as their open base dir restriction was not perfect, and using bugs / workarounds i could bypass that. You should check the version of Apache and PHP host is running and search info how to bypass it. Also search info about PERL hacks for /tmp. If you are lucky and you can execute the file - you have all power