Created
November 1, 2017 23:02
-
-
Save tuxmartin/5c8ce35c7da9df83d93fff212caa099f to your computer and use it in GitHub Desktop.
Ukazka C wrapperu pro php SUID
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| martin@martin:/tmp/test$ cat test.php | |
| <?php | |
| touch("test.txt"); | |
| ?> | |
| martin@martin:/tmp/test$ cat some-php.c | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| int main (int argc, char *argv[]) { | |
| if (argc < 2) { | |
| return 1; | |
| } | |
| const char *php = "php"; | |
| argv[0] = (char*)php; | |
| return execv("/usr/bin/php", argv); | |
| } | |
| martin@martin:/tmp/test$ gcc some-php.c -o some-php | |
| martin@martin:/tmp/test$ sudo chown www-data:www-data some-php | |
| martin@martin:/tmp/test$ sudo chmod 4755 some-php | |
| martin@martin:/tmp/test$ chmod a+rw /tmp/test/ | |
| martin@martin:/tmp/test$ ls -lh | |
| celkem 20K | |
| -rwsr-xr-x 1 www-data www-data 8,5K lis 1 23:55 some-php | |
| -rw-r--r-- 1 martin martin 260 lis 1 23:49 some-php.c | |
| -rw-r--r-- 1 martin martin 29 lis 1 23:52 test.php | |
| martin@martin:/tmp/test$ php test.php | |
| martin@martin:/tmp/test$ ls -lh | |
| celkem 20K | |
| -rwsr-xr-x 1 www-data www-data 8,5K lis 1 23:55 some-php | |
| -rw-r--r-- 1 martin martin 260 lis 1 23:49 some-php.c | |
| -rw-r--r-- 1 martin martin 29 lis 1 23:52 test.php | |
| -rw-r--r-- 1 martin martin 0 lis 1 23:56 test.txt | |
| martin@martin:/tmp/test$ rm test.txt | |
| martin@martin:/tmp/test$ ls -lh | |
| celkem 20K | |
| -rwsr-xr-x 1 www-data www-data 8,5K lis 1 23:55 some-php | |
| -rw-r--r-- 1 martin martin 260 lis 1 23:49 some-php.c | |
| -rw-r--r-- 1 martin martin 29 lis 1 23:52 test.php | |
| martin@martin:/tmp/test$ ./some-php test.php | |
| martin@martin:/tmp/test$ ls -lh | |
| celkem 20K | |
| -rwsr-xr-x 1 www-data www-data 8,5K lis 1 23:55 some-php | |
| -rw-r--r-- 1 martin martin 260 lis 1 23:49 some-php.c | |
| -rw-r--r-- 1 martin martin 29 lis 1 23:52 test.php | |
| -rw-r--r-- 1 www-data martin 0 lis 1 23:56 test.txt | |
| martin@martin:/tmp/test$ rm test.txt | |
| martin@martin:/tmp/test$ ls -lh | |
| celkem 20K | |
| -rwsr-xr-x 1 www-data www-data 8,5K lis 1 23:55 some-php | |
| -rw-r--r-- 1 martin martin 260 lis 1 23:49 some-php.c | |
| -rw-r--r-- 1 martin martin 29 lis 1 23:52 test.php | |
| martin@martin:/tmp/test$ strace -e trace=process ./some-php | |
| execve("./some-php", ["./some-php"], [/* 59 vars */]) = 0 | |
| arch_prctl(ARCH_SET_FS, 0x7fd8a7509700) = 0 | |
| exit_group(1) = ? | |
| +++ exited with 1 +++ | |
| martin@martin:/tmp/test$ ls -lh | |
| celkem 20K | |
| -rwsr-xr-x 1 www-data www-data 8,5K lis 1 23:55 some-php | |
| -rw-r--r-- 1 martin martin 260 lis 1 23:49 some-php.c | |
| -rw-r--r-- 1 martin martin 29 lis 1 23:52 test.php | |
| -rw-r--r-- 1 www-data martin 0 lis 1 23:56 test.txt | |
| martin@martin:/tmp/test$ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment