//ipt.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
uid_t uid ,euid;
char cmd[1024];
uid = getuid() ;
euid = geteuid();
printf(my uid :%u/n,getuid()); //这里显示的是当前的uid 可以注释掉.
printf(my euid :%u/n,geteuid()); //这里显示的是当前的euid
if(setreuid(euid, uid)) //交换这两个id
perror(setreuid);
printf(after setreuid uid :%u/n,getuid());
printf(afer sertreuid euid :%u/n,geteuid());
system(/sbin/iptables -L); //执行iptables -L命令
return 0;
}
gcc -o ipt -Wall ipt.c
设置sid
chmod u+s ./ipt
调用php代码
<?php
echo '<pre>';
$last_line = system('/var/www/html/http/ipt', $retval);
echo '
</pre>
<hr />Last line of the output: ' . $last_line . '
<hr />Return value: ' . $retval;
?>
apache的uid 为48。调用setreuid后将有效用户id和实际用户id互换了。(必须在chmod u+s生效的情况下)
使apache当前的uid为0这样就能执行root命令了。大家只需要更改C文件中的system所要执行的命令就可以
实现自己的PHP执行root命令了。
转载于:https://blog.51cto.com/norman20000/1978808